From c020f7ac20dc7c178263866ecfee8a25f37b4d73 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Fri, 2 Feb 2024 16:46:28 +0100 Subject: [PATCH] cleanup: various minor debugging improvements (#2889) * ci: improve constellation_create error message When we hit a timeout due to nodes not coming up, the actual error message is hard to make out because it's buried in a group. With the right formatting, the error message will be highlighted in the UI. Another improvement is to output the state of nodes, which helps debugging the cause of nodes not joining or not becoming ready. * cleanup: use NodeVersionResourceName constant ... instead of literal strings. * ci: correctly notify on e2e upgrade error * atls: report cert extension OIDs on mismatch If the certificate contains an attestation document for SEV-SNP, but the given validator is for Nitro, verifyEmbeddedReport should not claim that there is no attestation document, but that there is no _compatible_ one and what the incompatible ones were. --- .github/actions/constellation_create/action.yml | 4 +++- .github/workflows/e2e-upgrade.yml | 3 +-- internal/atls/atls.go | 4 +++- internal/constellation/kubecmd/kubecmd.go | 2 +- joinservice/internal/server/server.go | 2 +- 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml index fc6954ad24..403428f85a 100644 --- a/.github/actions/constellation_create/action.yml +++ b/.github/actions/constellation_create/action.yml @@ -221,7 +221,9 @@ runs: sleep 30 done if [[ $JOINWAIT -gt $JOINTIMEOUT ]]; then - echo "Timed out waiting for nodes to join" + kubectl get nodes -o wide + echo "::error::Timed out waiting for nodes to join" + echo "::endgroup::" exit 1 fi echo "$(kubectl get nodes -o json | jq '.items | length')/"${NODES_COUNT}" nodes have joined" diff --git a/.github/workflows/e2e-upgrade.yml b/.github/workflows/e2e-upgrade.yml index 4e0d9d4527..5b5f5975c3 100644 --- a/.github/workflows/e2e-upgrade.yml +++ b/.github/workflows/e2e-upgrade.yml @@ -524,8 +524,7 @@ jobs: - name: Notify about failure if: | always() && - needs.create-cluster.result != 'success' && - needs.e2e-upgrade.result != 'success' && + ( needs.create-cluster.result != 'success' || needs.e2e-upgrade.result != 'success' ) && github.ref == 'refs/heads/main' && inputs.scheduled continue-on-error: true diff --git a/internal/atls/atls.go b/internal/atls/atls.go index 06fc38cb04..14f5c1f768 100644 --- a/internal/atls/atls.go +++ b/internal/atls/atls.go @@ -200,6 +200,7 @@ func processCertificate(rawCerts [][]byte, _ [][]*x509.Certificate) (*x509.Certi // verifyEmbeddedReport verifies an aTLS certificate by validating the attestation document embedded in the TLS certificate. func verifyEmbeddedReport(validators []Validator, cert *x509.Certificate, hash, nonce []byte) error { + var exts []string for _, ex := range cert.Extensions { for _, validator := range validators { if ex.Id.Equal(validator.OID()) { @@ -216,9 +217,10 @@ func verifyEmbeddedReport(validators []Validator, cert *x509.Certificate, hash, return nil } } + exts = append(exts, ex.Id.String()) } - return errors.New("certificate does not contain attestation document") + return fmt.Errorf("certificate does not contain compatible attestation documents: got extension OIDs %#v", exts) } func hashPublicKey(pub any) ([]byte, error) { diff --git a/internal/constellation/kubecmd/kubecmd.go b/internal/constellation/kubecmd/kubecmd.go index 0d06f5f8e8..d2ea0d7f4e 100644 --- a/internal/constellation/kubecmd/kubecmd.go +++ b/internal/constellation/kubecmd/kubecmd.go @@ -303,7 +303,7 @@ func (k *KubeCmd) getConstellationVersion(ctx context.Context) (updatev1alpha1.N Group: "update.edgeless.systems", Version: "v1alpha1", Resource: "nodeversions", - }, "constellation-version") + }, constants.NodeVersionResourceName) if err != nil { return updatev1alpha1.NodeVersion{}, err } diff --git a/joinservice/internal/server/server.go b/joinservice/internal/server/server.go index b65383d41a..af80e96f47 100644 --- a/joinservice/internal/server/server.go +++ b/joinservice/internal/server/server.go @@ -197,7 +197,7 @@ func (s *Server) IssueRejoinTicket(ctx context.Context, req *joinproto.IssueRejo // getK8sComponentsConfigMapName reads the k8s components config map name from a VolumeMount that is backed by the k8s-version ConfigMap. func (s *Server) getK8sComponentsConfigMapName(ctx context.Context) (string, error) { - k8sComponentsRef, err := s.kubeClient.GetK8sComponentsRefFromNodeVersionCRD(ctx, "constellation-version") + k8sComponentsRef, err := s.kubeClient.GetK8sComponentsRefFromNodeVersionCRD(ctx, constants.NodeVersionResourceName) if err != nil { return "", fmt.Errorf("could not get k8s components config map name: %w", err) }