From c37a598144e20d3f27da727b77a9415160fa46d3 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Tue, 17 Oct 2023 12:07:12 +0200 Subject: [PATCH 01/29] add self-managed infra e2e test --- .../actions/constellation_create/action.yml | 15 +++++++-- .github/actions/e2e_test/action.yml | 5 +-- .../actions/self_managed_create/action.yml | 32 +++++++++++++++++++ .github/workflows/e2e-test-manual.yml | 1 + .github/workflows/e2e-test-weekly.yml | 14 ++++++++ 5 files changed, 63 insertions(+), 4 deletions(-) create mode 100644 .github/actions/self_managed_create/action.yml diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml index 25815f6157..2931ffe188 100644 --- a/.github/actions/constellation_create/action.yml +++ b/.github/actions/constellation_create/action.yml @@ -1,5 +1,5 @@ name: Constellation create -description: Create a new Constellation cluster using latest OS image. +description: Create a new Constellation cluster using the latest OS image. inputs: workerNodesCount: @@ -124,14 +124,25 @@ runs: run: | yq eval -i '(.internalLoadBalancer) = true' constellation-conf.yaml - - name: Constellation create + - name: Show Cluster Configuration shell: bash run: | echo "Creating cluster using config:" cat constellation-conf.yaml sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts' || true + + - name: Constellation create (CLI) + if : inputs.test != 'self-managed infra' + shell: bash + run: | constellation create -y --debug --tf-log=DEBUG + - name: Constellation create (self-managed) + if : inputs.test == 'self-managed infra' + uses: ./.github/actions/self_managed_create + with: + cloudProvider: ${{ inputs.cloudProvider }} + - name: Cdbg deploy if: inputs.isDebugImage == 'true' uses: ./.github/actions/cdbg_deploy diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml index 0ec7de5286..1dc4398c98 100644 --- a/.github/actions/e2e_test/action.yml +++ b/.github/actions/e2e_test/action.yml @@ -53,7 +53,7 @@ inputs: description: "Azure credentials authorized to create an IAM configuration." required: true test: - description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade]." + description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, autoscaling, lb, perf-bench, verify, recover, malicious join, self-managed infra, nop, upgrade]." required: true sonobuoyTestSuiteCmd: description: "The sonobuoy test suite to run." @@ -89,7 +89,7 @@ runs: using: "composite" steps: - name: Check input - if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "nop", "upgrade"]'), inputs.test)) + if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "self-managed infra", "nop", "upgrade"]'), inputs.test)) shell: bash run: | echo "::error::Invalid input for test field: ${{ inputs.test }}" @@ -260,6 +260,7 @@ runs: kubernetesVersion: ${{ inputs.kubernetesVersion }} refStream: ${{ inputs.refStream }} internalLoadBalancer: ${{ inputs.internalLoadBalancer }} + test: ${{ inputs.test }} - name: Deploy log- and metrics-collection (Kubernetes) id: deploy-logcollection diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml new file mode 100644 index 0000000000..c35bad28e0 --- /dev/null +++ b/.github/actions/self_managed_create/action.yml @@ -0,0 +1,32 @@ +name: Self-managed infrastructure creation +description: "Create the required infrastructure for a Constellation cluster manually." + +inputs: + cloudProvider: + description: "The cloud provider the test runs on." + required: true + +runs: + using: "composite" + steps: + - name: Copy Terraform configuration + shell: bash + working-directory: + run : | + cp ${{ github.workspace }}/cli/internal/terraform/terraform/${{ inputs.cloudProvider }} ${{ github.workspace }}/e2e-infra + + - name: Apply Terraform configuration + shell: bash + working-directory: ${{ github.workspace }}/e2e-infra + run : | + terraform init + terraform apply -auto-approve + + - name: Write outputs to state file + shell: bash + working-directory: ${{ github.workspace }}/e2e-infra + run : | + touch ${{ github.workspace }}/constellation-state.yaml + yq eval '.version ="v1"' --inplace ${{ github.workspace }}/constellation-state.yaml + yq eval '.infrastructure.initSecret ="$(terraform output initSecret | jq -r | tr -d '\n' | base64)"' --inplace ${{ github.workspace }}/constellation-state.yaml + yq eval '.infrastructure.clusterEndpoint ="$(terraform output ip)"' --inplace ${{ github.workspace }}/constellation-state.yaml diff --git a/.github/workflows/e2e-test-manual.yml b/.github/workflows/e2e-test-manual.yml index f506d670d8..fef21a2bf6 100644 --- a/.github/workflows/e2e-test-manual.yml +++ b/.github/workflows/e2e-test-manual.yml @@ -35,6 +35,7 @@ on: - "verify" - "recover" - "malicious join" + - "self-managed infra" - "nop" required: true kubernetesVersion: diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml index 16c2019988..841d42560e 100644 --- a/.github/workflows/e2e-test-weekly.yml +++ b/.github/workflows/e2e-test-weekly.yml @@ -171,6 +171,20 @@ jobs: provider: "aws" kubernetes-version: "v1.28" + # self-managed infra test on latest k8s version + - test: "self-managed infra" + refStream: "ref/main/stream/debug/?" + provider: "gcp" + kubernetes-version: "v1.28" + - test: "self-managed infra" + refStream: "ref/main/stream/debug/?" + provider: "azure" + kubernetes-version: "v1.28" + - test: "self-managed infra" + provider: "aws" + refStream: "ref/main/stream/debug/?" + kubernetes-version: "v1.28" + # # Tests on release-stable refStream # From 34db9abf7ac72a14d734ed039c63d7783a8b6986 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Tue, 17 Oct 2023 12:13:00 +0200 Subject: [PATCH 02/29] self-managed terminatio Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- .github/actions/constellation_destroy/action.yml | 12 ++++++++++++ .github/workflows/e2e-test-daily.yml | 1 + .github/workflows/e2e-test-manual.yml | 3 ++- .github/workflows/e2e-test-release.yml | 3 ++- .github/workflows/e2e-test-weekly.yml | 3 ++- .github/workflows/e2e-upgrade.yml | 3 ++- 6 files changed, 21 insertions(+), 4 deletions(-) diff --git a/.github/actions/constellation_destroy/action.yml b/.github/actions/constellation_destroy/action.yml index 253ce81625..70be277ae3 100644 --- a/.github/actions/constellation_destroy/action.yml +++ b/.github/actions/constellation_destroy/action.yml @@ -5,6 +5,9 @@ inputs: kubeconfig: description: "The kubeconfig for the cluster." required: true + test: + description: "The e2e test payload." + required: true runs: using: "composite" @@ -39,6 +42,15 @@ runs: echo "::endgroup::" - name: Constellation terminate + if: inputs.test != 'self-managed infra' shell: bash run: | constellation terminate --yes --tf-log=DEBUG + + - name: Constellation terminate (self-managed) + if: inputs.test == 'self-managed infra' + shell: bash + working-directory: ${{ github.workspace }}/e2e-infra + run: | + terraform init + terraform destroy -auto-approve diff --git a/.github/workflows/e2e-test-daily.yml b/.github/workflows/e2e-test-daily.yml index 8931ad6020..6bd3da2319 100644 --- a/.github/workflows/e2e-test-daily.yml +++ b/.github/workflows/e2e-test-daily.yml @@ -97,6 +97,7 @@ jobs: uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} + test: ${{ matrix.test }} - name: Always delete IAM configuration if: always() diff --git a/.github/workflows/e2e-test-manual.yml b/.github/workflows/e2e-test-manual.yml index fef21a2bf6..9b0dc9732c 100644 --- a/.github/workflows/e2e-test-manual.yml +++ b/.github/workflows/e2e-test-manual.yml @@ -267,7 +267,8 @@ jobs: uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - + test: ${{ inputs.test }} + - name: Always delete IAM configuration if: always() uses: ./.github/actions/constellation_iam_destroy diff --git a/.github/workflows/e2e-test-release.yml b/.github/workflows/e2e-test-release.yml index f26a14cd4f..96b4e0387f 100644 --- a/.github/workflows/e2e-test-release.yml +++ b/.github/workflows/e2e-test-release.yml @@ -219,7 +219,8 @@ jobs: uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - + test: ${{ matrix.test }} + - name: Always delete IAM configuration if: always() uses: ./.github/actions/constellation_iam_destroy diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml index 841d42560e..8dca6b9fe1 100644 --- a/.github/workflows/e2e-test-weekly.yml +++ b/.github/workflows/e2e-test-weekly.yml @@ -251,7 +251,8 @@ jobs: uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - + test: ${{ matrix.test }} + - name: Always delete IAM configuration if: always() uses: ./.github/actions/constellation_iam_destroy diff --git a/.github/workflows/e2e-upgrade.yml b/.github/workflows/e2e-upgrade.yml index 9bfc20b2ad..51574e48d4 100644 --- a/.github/workflows/e2e-upgrade.yml +++ b/.github/workflows/e2e-upgrade.yml @@ -287,7 +287,8 @@ jobs: uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - + test: ${{ matrix.test }} + - name: Always delete IAM configuration if: always() uses: ./.github/actions/constellation_iam_destroy From 135f53ac7177343e8cbc0d9c36c9cf961dcd5f43 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Tue, 17 Oct 2023 12:25:51 +0200 Subject: [PATCH 03/29] fix upgrade test Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- .github/workflows/e2e-upgrade.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/e2e-upgrade.yml b/.github/workflows/e2e-upgrade.yml index 51574e48d4..bdd917a051 100644 --- a/.github/workflows/e2e-upgrade.yml +++ b/.github/workflows/e2e-upgrade.yml @@ -287,8 +287,8 @@ jobs: uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - test: ${{ matrix.test }} - + test: "upgrade" + - name: Always delete IAM configuration if: always() uses: ./.github/actions/constellation_iam_destroy From b5c9d9e7d84470b0ea8975d4ccd56ea4b9b27608 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Tue, 17 Oct 2023 13:29:15 +0200 Subject: [PATCH 04/29] fix indentation Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- .github/actions/self_managed_create/action.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml index c35bad28e0..7a34d63cc8 100644 --- a/.github/actions/self_managed_create/action.yml +++ b/.github/actions/self_managed_create/action.yml @@ -15,12 +15,12 @@ runs: run : | cp ${{ github.workspace }}/cli/internal/terraform/terraform/${{ inputs.cloudProvider }} ${{ github.workspace }}/e2e-infra - - name: Apply Terraform configuration - shell: bash - working-directory: ${{ github.workspace }}/e2e-infra - run : | - terraform init - terraform apply -auto-approve + - name: Apply Terraform configuration + shell: bash + working-directory: ${{ github.workspace }}/e2e-infra + run : | + terraform init + terraform apply -auto-approve - name: Write outputs to state file shell: bash From 538c807ae771e9cc00f824cbad1b260c897114d3 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Tue, 17 Oct 2023 15:08:36 +0200 Subject: [PATCH 05/29] use -r when copying dir Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- .github/actions/self_managed_create/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml index 7a34d63cc8..059f66a5b7 100644 --- a/.github/actions/self_managed_create/action.yml +++ b/.github/actions/self_managed_create/action.yml @@ -13,7 +13,7 @@ runs: shell: bash working-directory: run : | - cp ${{ github.workspace }}/cli/internal/terraform/terraform/${{ inputs.cloudProvider }} ${{ github.workspace }}/e2e-infra + cp -r ${{ github.workspace }}/cli/internal/terraform/terraform/${{ inputs.cloudProvider }} ${{ github.workspace }}/e2e-infra - name: Apply Terraform configuration shell: bash From 5d22373020e51b33f41f4b2959bdbdb39ad6f0ee Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Wed, 18 Oct 2023 09:24:51 +0200 Subject: [PATCH 06/29] add terraform variable parsing --- .../actions/constellation_create/action.yml | 1 + .../actions/self_managed_create/action.yml | 54 +++++++++++++++++++ 2 files changed, 55 insertions(+) diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml index 2931ffe188..7cbe5ef490 100644 --- a/.github/actions/constellation_create/action.yml +++ b/.github/actions/constellation_create/action.yml @@ -142,6 +142,7 @@ runs: uses: ./.github/actions/self_managed_create with: cloudProvider: ${{ inputs.cloudProvider }} + osImage: ${{ steps.setImage.outputs.image }} - name: Cdbg deploy if: inputs.isDebugImage == 'true' diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml index 059f66a5b7..de98cad3b3 100644 --- a/.github/actions/self_managed_create/action.yml +++ b/.github/actions/self_managed_create/action.yml @@ -5,6 +5,9 @@ inputs: cloudProvider: description: "The cloud provider the test runs on." required: true + osImage: + description: "OS image to use." + required: true runs: using: "composite" @@ -15,6 +18,57 @@ runs: run : | cp -r ${{ github.workspace }}/cli/internal/terraform/terraform/${{ inputs.cloudProvider }} ${{ github.workspace }}/e2e-infra + - name: Write Terraform variables + shell: bash + working-directory: ${{ github.workspace }}/e2e-infra + run : | + echo "name = \"$(yq '.name' constellation-conf.yaml)\"" >> terraform.tfvars + echo "debug = $(yq '.debugCluster' constellation-conf.yaml)" >> terraform.tfvars + echo "custom_endpoint = \"$(yq '.customEndpoint' constellation-conf.yaml)\"" >> terraform.tfvars + echo "image_id = \"${{ inputs.osImage }}\"" >> terraform.tfvars + echo "node_groups = {\n \ + control_plane_default = {\n \ + role = \"$(yq '.nodeGroups.control_plane_default.role' constellation-conf.yaml)\"\n \ + zone = \"$(yq '.nodeGroups.control_plane_default.zone' constellation-conf.yaml)\"\n \ + zones = [ \"$(yq '.nodeGroups.worker_default.zone' constellation-conf.yaml)\" ]\n \ + instance_type = \"$(yq '.nodeGroups.control_plane_default.instanceType' constellation-conf.yaml)\"\n \ + disk_size = \"$(yq '.nodeGroups.control_plane_default.stateDiskSizeGB' constellation-conf.yaml)\"\n \ + disk_type = \"$(yq '.nodeGroups.control_plane_default.stateDiskType' constellation-conf.yaml)\"\n \ + initial_count = \"$(yq '.nodeGroups.control_plane_default.initialCount' constellation-conf.yaml)\"\n \ + }\n \ + worker_default = {\n \ + role = \"$(yq '.nodeGroups.worker_default.role' constellation-conf.yaml)\"\n \ + zone = \"$(yq '.nodeGroups.worker_default.zone' constellation-conf.yaml)\"\n \ + zones = [ \"$(yq '.nodeGroups.worker_default.zone' constellation-conf.yaml)\" ]\n \ + instance_type = \"$(yq '.nodeGroups.worker_default.instanceType' constellation-conf.yaml)\"\n \ + disk_size = \"$(yq '.nodeGroups.worker_default.stateDiskSizeGB' constellation-conf.yaml)\"\n \ + disk_type = \"$(yq '.nodeGroups.worker_default.stateDiskType' constellation-conf.yaml)\"\n \ + initial_count = \"$(yq '.nodeGroups.worker_default.initialCount' constellation-conf.yaml)\"\n \ + } \ + }" \ + >> terraform.tfvars + if [[ "${{ inputs.cloudProvider }}" == 'aws' ]]; then + echo "iam_instance_profile_control_plane = \"$(yq '.provider.aws.iamProfileControlPlane' constellation-conf.yaml)\"" >> terraform.tfvars + echo "iam_instance_profile_worker_nodes = \"$(yq '.provider.aws.iamProfileWorkerNodes' constellation-conf.yaml)\"" >> terraform.tfvars + echo "region = \"$(yq '.provider.aws.region' constellation-conf.yaml)\"" >> terraform.tfvars + echo "zone = \"$(yq '.provider.aws.zone' constellation-conf.yaml)\"" >> terraform.tfvars + echo "ami = \"$(yq '.provider.aws.zone' constellation-conf.yaml)\"" >> terraform.tfvars + echo "enable_snp = $(yq '.attestation | has("awsSEVSNP")' constellation-conf.yaml)" >> terraform.tfvars + elif [[ "${{ inputs.cloudProvider }}" == 'azure' ]]; then + echo "create_maa = $(yq '.attestation | has("azureSEVSNP")' constellation-conf.yaml)" >> terraform.tfvars + echo "confidential_vm = $(yq '.attestation | has("azureSEVSNP")' constellation-conf.yaml)" >> terraform.tfvars + echo "secure_boot = $(yq '.provider.azure.secureBoot' constellation-conf.yaml)" >> terraform.tfvars + echo "resource_group = \"$(yq '.provider.azure.resourceGroup' constellation-conf.yaml)\"" >> terraform.tfvars + echo "user_assigned_identity = \"$(yq '.provider.azure.userAssignedIdentity' constellation-conf.yaml)\"" >> terraform.tfvars + elif [[ "${{ inputs.cloudProvider }}" == 'gcp' ]]; then + echo "project = \"$(yq '.provider.gcp.project' constellation-conf.yaml)\"" >> terraform.tfvars + echo "region = \"$(yq '.provider.gcp.region' constellation-conf.yaml)\"" >> terraform.tfvars + echo "zone = \"$(yq '.provider.gcp.zone' constellation-conf.yaml)\"" >> terraform.tfvars + fi + terraform fmt terraform.tfvars + echo "Using Terraform variables:" + cat terraform.tfvars + - name: Apply Terraform configuration shell: bash working-directory: ${{ github.workspace }}/e2e-infra From 8f87ba4f45447d5846f5c070768dcef9695be101 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Wed, 18 Oct 2023 11:08:00 +0200 Subject: [PATCH 07/29] copy constellation conf Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- .github/actions/self_managed_create/action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml index de98cad3b3..52cffd1ba2 100644 --- a/.github/actions/self_managed_create/action.yml +++ b/.github/actions/self_managed_create/action.yml @@ -12,11 +12,12 @@ inputs: runs: using: "composite" steps: - - name: Copy Terraform configuration + - name: Copy Terraform configuration and Constellation config shell: bash working-directory: run : | cp -r ${{ github.workspace }}/cli/internal/terraform/terraform/${{ inputs.cloudProvider }} ${{ github.workspace }}/e2e-infra + cp ${{ github.workspace }}/constellation-conf.yaml ${{ github.workspace }}/e2e-infra - name: Write Terraform variables shell: bash From bd37c78c43de2f810bf7758bc12f03e1ff5fa304 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Wed, 18 Oct 2023 15:10:13 +0200 Subject: [PATCH 08/29] remove unnecessary line breaks --- .../actions/self_managed_create/action.yml | 41 +++++++++---------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml index 52cffd1ba2..7581a2b60e 100644 --- a/.github/actions/self_managed_create/action.yml +++ b/.github/actions/self_managed_create/action.yml @@ -27,27 +27,26 @@ runs: echo "debug = $(yq '.debugCluster' constellation-conf.yaml)" >> terraform.tfvars echo "custom_endpoint = \"$(yq '.customEndpoint' constellation-conf.yaml)\"" >> terraform.tfvars echo "image_id = \"${{ inputs.osImage }}\"" >> terraform.tfvars - echo "node_groups = {\n \ - control_plane_default = {\n \ - role = \"$(yq '.nodeGroups.control_plane_default.role' constellation-conf.yaml)\"\n \ - zone = \"$(yq '.nodeGroups.control_plane_default.zone' constellation-conf.yaml)\"\n \ - zones = [ \"$(yq '.nodeGroups.worker_default.zone' constellation-conf.yaml)\" ]\n \ - instance_type = \"$(yq '.nodeGroups.control_plane_default.instanceType' constellation-conf.yaml)\"\n \ - disk_size = \"$(yq '.nodeGroups.control_plane_default.stateDiskSizeGB' constellation-conf.yaml)\"\n \ - disk_type = \"$(yq '.nodeGroups.control_plane_default.stateDiskType' constellation-conf.yaml)\"\n \ - initial_count = \"$(yq '.nodeGroups.control_plane_default.initialCount' constellation-conf.yaml)\"\n \ - }\n \ - worker_default = {\n \ - role = \"$(yq '.nodeGroups.worker_default.role' constellation-conf.yaml)\"\n \ - zone = \"$(yq '.nodeGroups.worker_default.zone' constellation-conf.yaml)\"\n \ - zones = [ \"$(yq '.nodeGroups.worker_default.zone' constellation-conf.yaml)\" ]\n \ - instance_type = \"$(yq '.nodeGroups.worker_default.instanceType' constellation-conf.yaml)\"\n \ - disk_size = \"$(yq '.nodeGroups.worker_default.stateDiskSizeGB' constellation-conf.yaml)\"\n \ - disk_type = \"$(yq '.nodeGroups.worker_default.stateDiskType' constellation-conf.yaml)\"\n \ - initial_count = \"$(yq '.nodeGroups.worker_default.initialCount' constellation-conf.yaml)\"\n \ - } \ - }" \ - >> terraform.tfvars + echo "node_groups = { + control_plane_default = { + role = \"$(yq '.nodeGroups.control_plane_default.role' constellation-conf.yaml)\" + zone = \"$(yq '.nodeGroups.control_plane_default.zone' constellation-conf.yaml)\" + zones = [ \"$(yq '.nodeGroups.worker_default.zone' constellation-conf.yaml)\" ] + instance_type = \"$(yq '.nodeGroups.control_plane_default.instanceType' constellation-conf.yaml)\" + disk_size = \"$(yq '.nodeGroups.control_plane_default.stateDiskSizeGB' constellation-conf.yaml)\" + disk_type = \"$(yq '.nodeGroups.control_plane_default.stateDiskType' constellation-conf.yaml)\" + initial_count = \"$(yq '.nodeGroups.control_plane_default.initialCount' constellation-conf.yaml)\" + } + worker_default = { + role = \"$(yq '.nodeGroups.worker_default.role' constellation-conf.yaml)\" + zone = \"$(yq '.nodeGroups.worker_default.zone' constellation-conf.yaml)\" + zones = [ \"$(yq '.nodeGroups.worker_default.zone' constellation-conf.yaml)\" ] + instance_type = \"$(yq '.nodeGroups.worker_default.instanceType' constellation-conf.yaml)\" + disk_size = \"$(yq '.nodeGroups.worker_default.stateDiskSizeGB' constellation-conf.yaml)\" + disk_type = \"$(yq '.nodeGroups.worker_default.stateDiskType' constellation-conf.yaml)\" + initial_count = \"$(yq '.nodeGroups.worker_default.initialCount' constellation-conf.yaml)\" + } + }" >> terraform.tfvars if [[ "${{ inputs.cloudProvider }}" == 'aws' ]]; then echo "iam_instance_profile_control_plane = \"$(yq '.provider.aws.iamProfileControlPlane' constellation-conf.yaml)\"" >> terraform.tfvars echo "iam_instance_profile_worker_nodes = \"$(yq '.provider.aws.iamProfileWorkerNodes' constellation-conf.yaml)\"" >> terraform.tfvars From ca81f20d601f666c1616c9b300a1a59190b6b259 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Wed, 18 Oct 2023 16:39:36 +0200 Subject: [PATCH 09/29] add missing value Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- .github/actions/self_managed_create/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml index 7581a2b60e..164a1b890f 100644 --- a/.github/actions/self_managed_create/action.yml +++ b/.github/actions/self_managed_create/action.yml @@ -55,6 +55,7 @@ runs: echo "ami = \"$(yq '.provider.aws.zone' constellation-conf.yaml)\"" >> terraform.tfvars echo "enable_snp = $(yq '.attestation | has("awsSEVSNP")' constellation-conf.yaml)" >> terraform.tfvars elif [[ "${{ inputs.cloudProvider }}" == 'azure' ]]; then + echo "location = \"$(yq '.provider.azure.location' constellation-conf.yaml)\"" >> terraform.tfvars echo "create_maa = $(yq '.attestation | has("azureSEVSNP")' constellation-conf.yaml)" >> terraform.tfvars echo "confidential_vm = $(yq '.attestation | has("azureSEVSNP")' constellation-conf.yaml)" >> terraform.tfvars echo "secure_boot = $(yq '.provider.azure.secureBoot' constellation-conf.yaml)" >> terraform.tfvars From ba386d46933d31c8ddbc406032ece2691422b1c1 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Wed, 18 Oct 2023 17:54:38 +0200 Subject: [PATCH 10/29] add image fetching for CSP Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- .../actions/constellation_create/action.yml | 1 - .../actions/self_managed_create/action.yml | 14 +++-- hack/image-fetch/BUILD.bazel | 22 ++++++++ hack/image-fetch/main.go | 54 +++++++++++++++++++ 4 files changed, 85 insertions(+), 6 deletions(-) create mode 100644 hack/image-fetch/BUILD.bazel create mode 100644 hack/image-fetch/main.go diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml index 7cbe5ef490..2931ffe188 100644 --- a/.github/actions/constellation_create/action.yml +++ b/.github/actions/constellation_create/action.yml @@ -142,7 +142,6 @@ runs: uses: ./.github/actions/self_managed_create with: cloudProvider: ${{ inputs.cloudProvider }} - osImage: ${{ steps.setImage.outputs.image }} - name: Cdbg deploy if: inputs.isDebugImage == 'true' diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml index 164a1b890f..399e5867be 100644 --- a/.github/actions/self_managed_create/action.yml +++ b/.github/actions/self_managed_create/action.yml @@ -5,9 +5,6 @@ inputs: cloudProvider: description: "The cloud provider the test runs on." required: true - osImage: - description: "OS image to use." - required: true runs: using: "composite" @@ -19,6 +16,13 @@ runs: cp -r ${{ github.workspace }}/cli/internal/terraform/terraform/${{ inputs.cloudProvider }} ${{ github.workspace }}/e2e-infra cp ${{ github.workspace }}/constellation-conf.yaml ${{ github.workspace }}/e2e-infra + - name: Get CSP image reference + id: get_image + shell: bash + working-directory: ${{ github.workspace }}/e2e-infra + run : | + echo "image_ref=$(bazel run //hack/image-fetch:image-fetch)" >> $GITHUB_OUTPUT + - name: Write Terraform variables shell: bash working-directory: ${{ github.workspace }}/e2e-infra @@ -26,7 +30,7 @@ runs: echo "name = \"$(yq '.name' constellation-conf.yaml)\"" >> terraform.tfvars echo "debug = $(yq '.debugCluster' constellation-conf.yaml)" >> terraform.tfvars echo "custom_endpoint = \"$(yq '.customEndpoint' constellation-conf.yaml)\"" >> terraform.tfvars - echo "image_id = \"${{ inputs.osImage }}\"" >> terraform.tfvars + echo "image_id = \"${{ steps.get_image.outputs.image_ref }}\"" >> terraform.tfvars echo "node_groups = { control_plane_default = { role = \"$(yq '.nodeGroups.control_plane_default.role' constellation-conf.yaml)\" @@ -52,7 +56,7 @@ runs: echo "iam_instance_profile_worker_nodes = \"$(yq '.provider.aws.iamProfileWorkerNodes' constellation-conf.yaml)\"" >> terraform.tfvars echo "region = \"$(yq '.provider.aws.region' constellation-conf.yaml)\"" >> terraform.tfvars echo "zone = \"$(yq '.provider.aws.zone' constellation-conf.yaml)\"" >> terraform.tfvars - echo "ami = \"$(yq '.provider.aws.zone' constellation-conf.yaml)\"" >> terraform.tfvars + echo "ami = \"${{ steps.get_image.outputs.image_ref }}\"" >> terraform.tfvars echo "enable_snp = $(yq '.attestation | has("awsSEVSNP")' constellation-conf.yaml)" >> terraform.tfvars elif [[ "${{ inputs.cloudProvider }}" == 'azure' ]]; then echo "location = \"$(yq '.provider.azure.location' constellation-conf.yaml)\"" >> terraform.tfvars diff --git a/hack/image-fetch/BUILD.bazel b/hack/image-fetch/BUILD.bazel new file mode 100644 index 0000000000..04cd13dcdd --- /dev/null +++ b/hack/image-fetch/BUILD.bazel @@ -0,0 +1,22 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library") + +go_library( + name = "image-fetch_lib", + srcs = ["main.go"], + importpath = "github.com/edgelesssys/constellation/v2/hack/image-fetch", + visibility = ["//visibility:private"], + deps = [ + "//internal/api/attestationconfigapi", + "//internal/config", + "//internal/constants", + "//internal/file", + "//internal/imagefetcher", + "@com_github_spf13_afero//:afero", + ], +) + +go_binary( + name = "image-fetch", + embed = [":image-fetch_lib"], + visibility = ["//visibility:public"], +) diff --git a/hack/image-fetch/main.go b/hack/image-fetch/main.go new file mode 100644 index 0000000000..5ebfc7a706 --- /dev/null +++ b/hack/image-fetch/main.go @@ -0,0 +1,54 @@ +/* +Copyright (c) Edgeless Systems GmbH + +SPDX-License-Identifier: AGPL-3.0-only +*/ + +/* +imagefetch retrieves a CSP image reference from a Constellation config in the CWD. +This is especially useful when using self-managed infrastructure, where the image +reference needs to be chosen by the user, which would usually happen manually. +*/ +package main + +import ( + "context" + "errors" + "fmt" + "os" + "path/filepath" + + "github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi" + "github.com/edgelesssys/constellation/v2/internal/config" + "github.com/edgelesssys/constellation/v2/internal/constants" + "github.com/edgelesssys/constellation/v2/internal/file" + "github.com/edgelesssys/constellation/v2/internal/imagefetcher" + "github.com/spf13/afero" +) + +func main() { + cwd := os.Getenv("BUILD_WORKING_DIRECTORY") // set by Bazel, for bazel run compatibility + ctx := context.Background() + + fh := file.NewHandler(afero.NewOsFs()) + attFetcher := attestationconfigapi.NewFetcher() + conf, err := config.New(fh, filepath.Join(cwd, constants.ConfigFilename), attFetcher, true) + var configValidationErr *config.ValidationError + if errors.As(err, &configValidationErr) { + fmt.Println(configValidationErr.LongMessage()) + } + if err != nil { + panic(err) + } + + imgFetcher := imagefetcher.New() + provider := conf.GetProvider() + attestationVariant := conf.GetAttestationConfig().GetVariant() + region := conf.GetRegion() + image, err := imgFetcher.FetchReference(ctx, provider, attestationVariant, conf.Image, region) + if err != nil { + panic(err) + } + + fmt.Println(image) +} From 099c4f5de90112009a2d15dda28fe82a98c5b57b Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Thu, 19 Oct 2023 09:04:42 +0200 Subject: [PATCH 11/29] fix quoting Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- .github/actions/self_managed_create/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml index 399e5867be..ec4652ce12 100644 --- a/.github/actions/self_managed_create/action.yml +++ b/.github/actions/self_managed_create/action.yml @@ -87,5 +87,5 @@ runs: run : | touch ${{ github.workspace }}/constellation-state.yaml yq eval '.version ="v1"' --inplace ${{ github.workspace }}/constellation-state.yaml - yq eval '.infrastructure.initSecret ="$(terraform output initSecret | jq -r | tr -d '\n' | base64)"' --inplace ${{ github.workspace }}/constellation-state.yaml - yq eval '.infrastructure.clusterEndpoint ="$(terraform output ip)"' --inplace ${{ github.workspace }}/constellation-state.yaml + yq eval ".infrastructure.initSecret =\"$(terraform output initSecret | jq -r | tr -d '\n' | base64)\"" --inplace ${{ github.workspace }}/constellation-state.yaml + yq eval ".infrastructure.clusterEndpoint =\"$(terraform output ip)\"" --inplace ${{ github.workspace }}/constellation-state.yaml From b6b1c82b58c32d62b66d712dd69363f020a8059b Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Thu, 19 Oct 2023 09:27:34 +0200 Subject: [PATCH 12/29] add missing input to internal lb test --- .github/workflows/e2e-test-manual-internal.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/e2e-test-manual-internal.yml b/.github/workflows/e2e-test-manual-internal.yml index 49ceaebb20..6f13618d1f 100644 --- a/.github/workflows/e2e-test-manual-internal.yml +++ b/.github/workflows/e2e-test-manual-internal.yml @@ -211,6 +211,7 @@ jobs: uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} + test: ${{ inputs.test }} - name: Always delete IAM configuration if: always() From b127004b1d14e0e304058a6b8481ddb00a1f1e40 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Fri, 20 Oct 2023 09:11:37 +0200 Subject: [PATCH 13/29] normalize Azure URLs.. Of course --- hack/image-fetch/main.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/hack/image-fetch/main.go b/hack/image-fetch/main.go index 5ebfc7a706..d0549bfc6f 100644 --- a/hack/image-fetch/main.go +++ b/hack/image-fetch/main.go @@ -17,8 +17,10 @@ import ( "fmt" "os" "path/filepath" + "regexp" "github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi" + "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider" "github.com/edgelesssys/constellation/v2/internal/config" "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/file" @@ -26,6 +28,12 @@ import ( "github.com/spf13/afero" ) +var ( + caseInsensitiveCommunityGalleriesRegexp = regexp.MustCompile(`(?i)\/communitygalleries\/`) + caseInsensitiveImagesRegExp = regexp.MustCompile(`(?i)\/images\/`) + caseInsensitiveVersionsRegExp = regexp.MustCompile(`(?i)\/versions\/`) +) + func main() { cwd := os.Getenv("BUILD_WORKING_DIRECTORY") // set by Bazel, for bazel run compatibility ctx := context.Background() @@ -50,5 +58,11 @@ func main() { panic(err) } + if provider == cloudprovider.Azure { + image = caseInsensitiveCommunityGalleriesRegexp.ReplaceAllString(image, "/communityGalleries/") + image = caseInsensitiveImagesRegExp.ReplaceAllString(image, "/images/") + image = caseInsensitiveVersionsRegExp.ReplaceAllString(image, "/versions/") + } + fmt.Println(image) } From 9ea994b8376c5949388f1aacba7d9b495e796dba Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Fri, 20 Oct 2023 09:24:23 +0200 Subject: [PATCH 14/29] tidy Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- hack/image-fetch/BUILD.bazel | 1 + 1 file changed, 1 insertion(+) diff --git a/hack/image-fetch/BUILD.bazel b/hack/image-fetch/BUILD.bazel index 04cd13dcdd..bf9ca7dc30 100644 --- a/hack/image-fetch/BUILD.bazel +++ b/hack/image-fetch/BUILD.bazel @@ -7,6 +7,7 @@ go_library( visibility = ["//visibility:private"], deps = [ "//internal/api/attestationconfigapi", + "//internal/cloud/cloudprovider", "//internal/config", "//internal/constants", "//internal/file", From 4108c6de6902199155b42b287257118e5dc27dde Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Fri, 20 Oct 2023 09:55:40 +0200 Subject: [PATCH 15/29] fix expressions --- .github/actions/self_managed_create/action.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml index ec4652ce12..8def9b089e 100644 --- a/.github/actions/self_managed_create/action.yml +++ b/.github/actions/self_managed_create/action.yml @@ -35,7 +35,6 @@ runs: control_plane_default = { role = \"$(yq '.nodeGroups.control_plane_default.role' constellation-conf.yaml)\" zone = \"$(yq '.nodeGroups.control_plane_default.zone' constellation-conf.yaml)\" - zones = [ \"$(yq '.nodeGroups.worker_default.zone' constellation-conf.yaml)\" ] instance_type = \"$(yq '.nodeGroups.control_plane_default.instanceType' constellation-conf.yaml)\" disk_size = \"$(yq '.nodeGroups.control_plane_default.stateDiskSizeGB' constellation-conf.yaml)\" disk_type = \"$(yq '.nodeGroups.control_plane_default.stateDiskType' constellation-conf.yaml)\" @@ -44,7 +43,6 @@ runs: worker_default = { role = \"$(yq '.nodeGroups.worker_default.role' constellation-conf.yaml)\" zone = \"$(yq '.nodeGroups.worker_default.zone' constellation-conf.yaml)\" - zones = [ \"$(yq '.nodeGroups.worker_default.zone' constellation-conf.yaml)\" ] instance_type = \"$(yq '.nodeGroups.worker_default.instanceType' constellation-conf.yaml)\" disk_size = \"$(yq '.nodeGroups.worker_default.stateDiskSizeGB' constellation-conf.yaml)\" disk_type = \"$(yq '.nodeGroups.worker_default.stateDiskType' constellation-conf.yaml)\" @@ -85,7 +83,6 @@ runs: shell: bash working-directory: ${{ github.workspace }}/e2e-infra run : | - touch ${{ github.workspace }}/constellation-state.yaml yq eval '.version ="v1"' --inplace ${{ github.workspace }}/constellation-state.yaml yq eval ".infrastructure.initSecret =\"$(terraform output initSecret | jq -r | tr -d '\n' | base64)\"" --inplace ${{ github.workspace }}/constellation-state.yaml - yq eval ".infrastructure.clusterEndpoint =\"$(terraform output ip)\"" --inplace ${{ github.workspace }}/constellation-state.yaml + yq eval ".infrastructure.clusterEndpoint =$(terraform output out_of_cluster_endpoint)" --inplace ${{ github.workspace }}/constellation-state.yaml From 3fbe536c2483911cbbc8e324cb7513681491cda5 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Fri, 20 Oct 2023 16:54:47 +0200 Subject: [PATCH 16/29] initsecret to hex --- .github/actions/self_managed_create/action.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml index 8def9b089e..d9ed096b1f 100644 --- a/.github/actions/self_managed_create/action.yml +++ b/.github/actions/self_managed_create/action.yml @@ -84,5 +84,6 @@ runs: working-directory: ${{ github.workspace }}/e2e-infra run : | yq eval '.version ="v1"' --inplace ${{ github.workspace }}/constellation-state.yaml - yq eval ".infrastructure.initSecret =\"$(terraform output initSecret | jq -r | tr -d '\n' | base64)\"" --inplace ${{ github.workspace }}/constellation-state.yaml - yq eval ".infrastructure.clusterEndpoint =$(terraform output out_of_cluster_endpoint)" --inplace ${{ github.workspace }}/constellation-state.yaml + yq eval ".infrastructure.initSecret =\"$(terraform output initSecret | jq -r | tr -d '\n' | hexdump -e '"%x"' && echo '')\"" --inplace ${{ github.workspace }}/constellation-state.yaml + yq eval ".infrastructure.clusterEndpoint =\"$(terraform output out_of_cluster_endpoint | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml + yq eval ".infrastructure.inClusterEndpoint =\"$(terraform output in_cluster_endpoint | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml From 2bef8b0aa78eb76ba8184a822a5c5fdcb0ea66bd Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Mon, 23 Oct 2023 08:45:08 +0200 Subject: [PATCH 17/29] update hexdump cmd --- .github/actions/self_managed_create/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml index d9ed096b1f..5b66848b72 100644 --- a/.github/actions/self_managed_create/action.yml +++ b/.github/actions/self_managed_create/action.yml @@ -84,6 +84,6 @@ runs: working-directory: ${{ github.workspace }}/e2e-infra run : | yq eval '.version ="v1"' --inplace ${{ github.workspace }}/constellation-state.yaml - yq eval ".infrastructure.initSecret =\"$(terraform output initSecret | jq -r | tr -d '\n' | hexdump -e '"%x"' && echo '')\"" --inplace ${{ github.workspace }}/constellation-state.yaml + yq eval ".infrastructure.initSecret =\"$(terraform output initSecret | jq -r | tr -d '\n' | hexdump -ve '/1 "%02x"' && echo '')\"" --inplace ${{ github.workspace }}/constellation-state.yaml yq eval ".infrastructure.clusterEndpoint =\"$(terraform output out_of_cluster_endpoint | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml yq eval ".infrastructure.inClusterEndpoint =\"$(terraform output in_cluster_endpoint | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml From 0a44af70dc89cad8390cb219ea4b987ee061342a Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Mon, 23 Oct 2023 08:56:51 +0200 Subject: [PATCH 18/29] add build test Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- hack/image-fetch/BUILD.bazel | 7 +++++++ hack/image-fetch/main_test.go | 7 +++++++ 2 files changed, 14 insertions(+) create mode 100644 hack/image-fetch/main_test.go diff --git a/hack/image-fetch/BUILD.bazel b/hack/image-fetch/BUILD.bazel index bf9ca7dc30..91bc8eff62 100644 --- a/hack/image-fetch/BUILD.bazel +++ b/hack/image-fetch/BUILD.bazel @@ -1,4 +1,5 @@ load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library") +load("//bazel/go:go_test.bzl", "go_test") go_library( name = "image-fetch_lib", @@ -21,3 +22,9 @@ go_binary( embed = [":image-fetch_lib"], visibility = ["//visibility:public"], ) + +go_test( + name = "image-fetch_test", + srcs = ["main_test.go"], + embed = [":image-fetch_lib"], +) diff --git a/hack/image-fetch/main_test.go b/hack/image-fetch/main_test.go new file mode 100644 index 0000000000..51c8949557 --- /dev/null +++ b/hack/image-fetch/main_test.go @@ -0,0 +1,7 @@ +package main + +import "testing" + +func TestNop(t *testing.T) { + t.Skip("This is a nop-test to catch build-time errors in this package.") +} From 6a55ad1c3c49a1324e204be69216d4bbb4ad749d Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Mon, 23 Oct 2023 16:25:48 +0200 Subject: [PATCH 19/29] add node / pod cidr outputs Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- .github/actions/self_managed_create/action.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml index 5b66848b72..121de2c5cf 100644 --- a/.github/actions/self_managed_create/action.yml +++ b/.github/actions/self_managed_create/action.yml @@ -87,3 +87,7 @@ runs: yq eval ".infrastructure.initSecret =\"$(terraform output initSecret | jq -r | tr -d '\n' | hexdump -ve '/1 "%02x"' && echo '')\"" --inplace ${{ github.workspace }}/constellation-state.yaml yq eval ".infrastructure.clusterEndpoint =\"$(terraform output out_of_cluster_endpoint | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml yq eval ".infrastructure.inClusterEndpoint =\"$(terraform output in_cluster_endpoint | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml + yq eval ".infrastructure.ipCidrNode =\"$(terraform output ip_cidr_nodes | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml + if [[ "${{ inputs.cloudProvider }}" == 'gcp' ]]; then + yq eval ".infrastructure.gcp.ipCidrPod =\"$(terraform output ip_cidr_pods | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml + fi From a00ef4ec762b6e8ebddbf0f77bf9af7997b91da8 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Tue, 24 Oct 2023 10:18:51 +0200 Subject: [PATCH 20/29] explicitly delete the state file Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- .github/actions/constellation_destroy/action.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/actions/constellation_destroy/action.yml b/.github/actions/constellation_destroy/action.yml index 70be277ae3..2d755976ab 100644 --- a/.github/actions/constellation_destroy/action.yml +++ b/.github/actions/constellation_destroy/action.yml @@ -54,3 +54,5 @@ runs: run: | terraform init terraform destroy -auto-approve + # Explicitly delete the state file + rm constellation-state.yaml From 543a0b8f30b13b8292f880c17161adafc1da3328 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Tue, 24 Oct 2023 10:53:05 +0200 Subject: [PATCH 21/29] add missing license header Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- hack/image-fetch/main_test.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hack/image-fetch/main_test.go b/hack/image-fetch/main_test.go index 51c8949557..fa73af23e8 100644 --- a/hack/image-fetch/main_test.go +++ b/hack/image-fetch/main_test.go @@ -1,3 +1,9 @@ +/* +Copyright (c) Edgeless Systems GmbH + +SPDX-License-Identifier: AGPL-3.0-only +*/ + package main import "testing" From d41b1fda7e7502e9781e0337d74798e17c611c88 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Tue, 24 Oct 2023 14:09:35 +0200 Subject: [PATCH 22/29] always write all outputs Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- .github/actions/self_managed_create/action.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml index 121de2c5cf..42fc76b82b 100644 --- a/.github/actions/self_managed_create/action.yml +++ b/.github/actions/self_managed_create/action.yml @@ -88,6 +88,17 @@ runs: yq eval ".infrastructure.clusterEndpoint =\"$(terraform output out_of_cluster_endpoint | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml yq eval ".infrastructure.inClusterEndpoint =\"$(terraform output in_cluster_endpoint | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml yq eval ".infrastructure.ipCidrNode =\"$(terraform output ip_cidr_nodes | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml - if [[ "${{ inputs.cloudProvider }}" == 'gcp' ]]; then + yq eval ".infrastructure.uid =\"$(terraform output uid | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml + yq eval ".infrastructure.name =\"$(terraform output name | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml + yq eval ".infrastructure.apiServerCertSANs =\"$(terraform output -json api_server_cert_sans)\"" --inplace ${{ github.workspace }}/constellation-state.yaml + if [[ "${{ inputs.cloudProvider }}" == 'azure' ]]; then + yq eval ".infrastructure.azure.resourceGroup =\"$(terraform output resource_group | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml + yq eval ".infrastructure.azure.subscriptionID =\"$(terraform output subscription_id | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml + yq eval ".infrastructure.azure.networkSecurityGroupName =\"$(terraform output network_security_group_name | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml + yq eval ".infrastructure.azure.loadBalancerName =\"$(terraform output loadbalancer_name | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml + yq eval ".infrastructure.azure.userAssignedIdentity =\"$(terraform output user_assigned_identity_client_id | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml + yq eval ".infrastructure.azure.attestationURL =\"$(terraform output attestationURL | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml + elif [[ "${{ inputs.cloudProvider }}" == 'gcp' ]]; then + yq eval ".infrastructure.gcp.projectID =\"$(terraform output project | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml yq eval ".infrastructure.gcp.ipCidrPod =\"$(terraform output ip_cidr_pods | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml fi From 8148c882dcd3dd857854ae73ed10225f039e3cac Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Tue, 24 Oct 2023 14:59:38 +0200 Subject: [PATCH 23/29] fix list output Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- .github/actions/self_managed_create/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml index 42fc76b82b..2740f820e8 100644 --- a/.github/actions/self_managed_create/action.yml +++ b/.github/actions/self_managed_create/action.yml @@ -90,7 +90,7 @@ runs: yq eval ".infrastructure.ipCidrNode =\"$(terraform output ip_cidr_nodes | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml yq eval ".infrastructure.uid =\"$(terraform output uid | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml yq eval ".infrastructure.name =\"$(terraform output name | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml - yq eval ".infrastructure.apiServerCertSANs =\"$(terraform output -json api_server_cert_sans)\"" --inplace ${{ github.workspace }}/constellation-state.yaml + yq eval ".infrastructure.apiServerCertSANs =$(terraform output -json api_server_cert_sans)" --inplace ${{ github.workspace }}/constellation-state.yaml if [[ "${{ inputs.cloudProvider }}" == 'azure' ]]; then yq eval ".infrastructure.azure.resourceGroup =\"$(terraform output resource_group | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml yq eval ".infrastructure.azure.subscriptionID =\"$(terraform output subscription_id | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml From e1642bf7668569eca1248214ba5ae4591cf596bc Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Wed, 25 Oct 2023 08:12:39 +0200 Subject: [PATCH 24/29] remove state-file and admin-conf on destroy --- .github/actions/constellation_destroy/action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/actions/constellation_destroy/action.yml b/.github/actions/constellation_destroy/action.yml index 2d755976ab..a98dab0953 100644 --- a/.github/actions/constellation_destroy/action.yml +++ b/.github/actions/constellation_destroy/action.yml @@ -55,4 +55,5 @@ runs: terraform init terraform destroy -auto-approve # Explicitly delete the state file - rm constellation-state.yaml + rm ${{ github.workspace }}/constellation-state.yaml + rm ${{ github.workspace }}/constellation-admin.conf From 9d2628a5751f6966de878c60755d9339b3bfb8bc Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Wed, 25 Oct 2023 08:30:39 +0200 Subject: [PATCH 25/29] dont use test payload Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- .../actions/constellation_create/action.yml | 7 ++++-- .../actions/constellation_destroy/action.yml | 8 +++---- .github/actions/e2e_test/action.yml | 8 +++++-- .github/workflows/e2e-test-daily.yml | 3 ++- .../workflows/e2e-test-manual-internal.yml | 3 ++- .github/workflows/e2e-test-manual.yml | 6 ++--- .github/workflows/e2e-test-release.yml | 23 +++++++++++++++++-- .github/workflows/e2e-test-weekly.yml | 16 +++++++++---- .github/workflows/e2e-upgrade.yml | 3 ++- 9 files changed, 56 insertions(+), 21 deletions(-) diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml index 2931ffe188..05ae8cb454 100644 --- a/.github/actions/constellation_create/action.yml +++ b/.github/actions/constellation_create/action.yml @@ -50,6 +50,9 @@ inputs: internalLoadBalancer: description: "Whether to use an internal load balancer for the control plane" required: false + selfManagedInfra: + description: "Use self-managed infrastructure instead of infrastructure created by the Constellation CLI." + required: true outputs: kubeconfig: @@ -132,13 +135,13 @@ runs: sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts' || true - name: Constellation create (CLI) - if : inputs.test != 'self-managed infra' + if : inputs.selfManagedInfra != 'true' shell: bash run: | constellation create -y --debug --tf-log=DEBUG - name: Constellation create (self-managed) - if : inputs.test == 'self-managed infra' + if : inputs.selfManagedInfra == 'true' uses: ./.github/actions/self_managed_create with: cloudProvider: ${{ inputs.cloudProvider }} diff --git a/.github/actions/constellation_destroy/action.yml b/.github/actions/constellation_destroy/action.yml index a98dab0953..f9ae8c8f8a 100644 --- a/.github/actions/constellation_destroy/action.yml +++ b/.github/actions/constellation_destroy/action.yml @@ -5,8 +5,8 @@ inputs: kubeconfig: description: "The kubeconfig for the cluster." required: true - test: - description: "The e2e test payload." + selfManagedInfra: + description: "Use self-managed infrastructure instead of infrastructure created by the Constellation CLI." required: true runs: @@ -42,13 +42,13 @@ runs: echo "::endgroup::" - name: Constellation terminate - if: inputs.test != 'self-managed infra' + if: inputs.selfManagedInfra != 'true' shell: bash run: | constellation terminate --yes --tf-log=DEBUG - name: Constellation terminate (self-managed) - if: inputs.test == 'self-managed infra' + if: inputs.selfManagedInfra == 'true' shell: bash working-directory: ${{ github.workspace }}/e2e-infra run: | diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml index 1dc4398c98..00de05ab8f 100644 --- a/.github/actions/e2e_test/action.yml +++ b/.github/actions/e2e_test/action.yml @@ -53,7 +53,7 @@ inputs: description: "Azure credentials authorized to create an IAM configuration." required: true test: - description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, autoscaling, lb, perf-bench, verify, recover, malicious join, self-managed infra, nop, upgrade]." + description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade]." required: true sonobuoyTestSuiteCmd: description: "The sonobuoy test suite to run." @@ -76,6 +76,9 @@ inputs: description: "Enable security policy for the cluster." internalLoadBalancer: description: "Enable internal load balancer for the cluster." + selfManagedInfra: + description: "Use self-managed infrastructure instead of infrastructure created by the Constellation CLI." + default: "false" outputs: kubeconfig: @@ -89,7 +92,7 @@ runs: using: "composite" steps: - name: Check input - if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "self-managed infra", "nop", "upgrade"]'), inputs.test)) + if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "nop", "upgrade"]'), inputs.test)) shell: bash run: | echo "::error::Invalid input for test field: ${{ inputs.test }}" @@ -261,6 +264,7 @@ runs: refStream: ${{ inputs.refStream }} internalLoadBalancer: ${{ inputs.internalLoadBalancer }} test: ${{ inputs.test }} + selfManagedInfra: ${{ inputs.selfManagedInfra }} - name: Deploy log- and metrics-collection (Kubernetes) id: deploy-logcollection diff --git a/.github/workflows/e2e-test-daily.yml b/.github/workflows/e2e-test-daily.yml index 6bd3da2319..803ddd4353 100644 --- a/.github/workflows/e2e-test-daily.yml +++ b/.github/workflows/e2e-test-daily.yml @@ -91,13 +91,14 @@ jobs: awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }} awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} + selfManagedInfra: "false" - name: Always terminate cluster if: always() uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - test: ${{ matrix.test }} + selfManagedInfra: "false" - name: Always delete IAM configuration if: always() diff --git a/.github/workflows/e2e-test-manual-internal.yml b/.github/workflows/e2e-test-manual-internal.yml index 6f13618d1f..d9297f22e8 100644 --- a/.github/workflows/e2e-test-manual-internal.yml +++ b/.github/workflows/e2e-test-manual-internal.yml @@ -205,13 +205,14 @@ jobs: cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }} fetchMeasurements: ${{ contains(needs.find-latest-image.outputs.image, '/stream/stable/') }} internalLoadBalancer: true + selfManagedInfra: "false" - name: Always terminate cluster if: always() uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - test: ${{ inputs.test }} + selfManagedInfra: "false" - name: Always delete IAM configuration if: always() diff --git a/.github/workflows/e2e-test-manual.yml b/.github/workflows/e2e-test-manual.yml index 9b0dc9732c..a32f5147a5 100644 --- a/.github/workflows/e2e-test-manual.yml +++ b/.github/workflows/e2e-test-manual.yml @@ -35,7 +35,6 @@ on: - "verify" - "recover" - "malicious join" - - "self-managed infra" - "nop" required: true kubernetesVersion: @@ -261,14 +260,15 @@ jobs: cosignPassword: ${{ secrets.COSIGN_PASSWORD }} cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }} fetchMeasurements: ${{ contains(needs.find-latest-image.outputs.image, '/stream/stable/') }} + selfManagedInfra: "false" - name: Always terminate cluster if: always() uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - test: ${{ inputs.test }} - + selfManagedInfra: "false" + - name: Always delete IAM configuration if: always() uses: ./.github/actions/constellation_iam_destroy diff --git a/.github/workflows/e2e-test-release.yml b/.github/workflows/e2e-test-release.yml index 96b4e0387f..3f2589c9ca 100644 --- a/.github/workflows/e2e-test-release.yml +++ b/.github/workflows/e2e-test-release.yml @@ -151,6 +151,24 @@ jobs: kubernetes-version: "v1.28" runner: "ubuntu-22.04" + # self-managed infra test on latest k8s version + # runs Sonobuoy full test + - test: "sonobuoy full" + provider: "gcp" + kubernetes-version: "v1.28" + runner: "ubuntu-22.04" + selfManagedInfra: "true" + - test: "sonobuoy full" + provider: "azure" + kubernetes-version: "v1.28" + runner: "ubuntu-22.04" + selfManagedInfra: "true" + - test: "sonobuoy full" + provider: "aws" + kubernetes-version: "v1.28" + runner: "ubuntu-22.04" + selfManagedInfra: "true" + # # Tests on macOS runner # @@ -213,14 +231,15 @@ jobs: cosignPassword: ${{ secrets.COSIGN_PASSWORD }} cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }} githubToken: ${{ secrets.GITHUB_TOKEN }} + selfManagedInfra: ${{ matrix.selfManagedInfra == 'true' }} - name: Always terminate cluster if: always() uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - test: ${{ matrix.test }} - + selfManagedInfra: ${{ matrix.selfManagedInfra == 'true' }} + - name: Always delete IAM configuration if: always() uses: ./.github/actions/constellation_iam_destroy diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml index 8dca6b9fe1..27d104207b 100644 --- a/.github/workflows/e2e-test-weekly.yml +++ b/.github/workflows/e2e-test-weekly.yml @@ -172,18 +172,22 @@ jobs: kubernetes-version: "v1.28" # self-managed infra test on latest k8s version - - test: "self-managed infra" + # with Sonobuoy full + - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" provider: "gcp" kubernetes-version: "v1.28" - - test: "self-managed infra" + selfManagedInfra: "true" + - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" provider: "azure" kubernetes-version: "v1.28" - - test: "self-managed infra" + selfManagedInfra: "true" + - test: "sonobuoy full" provider: "aws" refStream: "ref/main/stream/debug/?" kubernetes-version: "v1.28" + selfManagedInfra: "true" # # Tests on release-stable refStream @@ -202,6 +206,7 @@ jobs: refStream: "ref/release/stream/stable/?" provider: "aws" kubernetes-version: "v1.27" + runs-on: ubuntu-22.04 permissions: id-token: write @@ -245,14 +250,15 @@ jobs: cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }} fetchMeasurements: ${{ matrix.refStream != 'ref/release/stream/stable/?' }} azureSNPEnforcementPolicy: ${{ matrix.azureSNPEnforcementPolicy }} + selfManagedInfra: ${{ matrix.selfManagedInfra == 'true' }} - name: Always terminate cluster if: always() uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - test: ${{ matrix.test }} - + selfManagedInfra: ${{ matrix.selfManagedInfra == 'true' }} + - name: Always delete IAM configuration if: always() uses: ./.github/actions/constellation_iam_destroy diff --git a/.github/workflows/e2e-upgrade.yml b/.github/workflows/e2e-upgrade.yml index bdd917a051..bd1e5fc155 100644 --- a/.github/workflows/e2e-upgrade.yml +++ b/.github/workflows/e2e-upgrade.yml @@ -182,6 +182,7 @@ jobs: awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }} awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} + selfManagedInfra: "false" - name: Build CLI uses: ./.github/actions/build_cli @@ -287,7 +288,7 @@ jobs: uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - test: "upgrade" + selfManagedInfra: "false" - name: Always delete IAM configuration if: always() From 76476c6adbb19fc1848c70567008225eec49ec23 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Wed, 25 Oct 2023 15:56:51 +0200 Subject: [PATCH 26/29] [remove] use self managed infra in manual e2e for testing Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- .github/workflows/e2e-test-manual.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/e2e-test-manual.yml b/.github/workflows/e2e-test-manual.yml index a32f5147a5..851d679ad9 100644 --- a/.github/workflows/e2e-test-manual.yml +++ b/.github/workflows/e2e-test-manual.yml @@ -260,14 +260,14 @@ jobs: cosignPassword: ${{ secrets.COSIGN_PASSWORD }} cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }} fetchMeasurements: ${{ contains(needs.find-latest-image.outputs.image, '/stream/stable/') }} - selfManagedInfra: "false" + selfManagedInfra: "true" - name: Always terminate cluster if: always() uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - selfManagedInfra: "false" + selfManagedInfra: "true" - name: Always delete IAM configuration if: always() From 50743a993d05868cffe5658ec34fd8509f19804e Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Thu, 26 Oct 2023 08:48:39 +0200 Subject: [PATCH 27/29] init: always skip infrastructure phase --- cli/internal/cmd/init.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cli/internal/cmd/init.go b/cli/internal/cmd/init.go index 67ca29c4ef..266a4b23a4 100644 --- a/cli/internal/cmd/init.go +++ b/cli/internal/cmd/init.go @@ -43,6 +43,8 @@ func NewInitCmd() *cobra.Command { RunE: func(cmd *cobra.Command, args []string) error { // Define flags for apply backend that are not set by init cmd.Flags().Bool("yes", false, "") + // We always want to skip the infrastructure phase here, to be aligned with the + // functionality of the old init command. cmd.Flags().StringSlice("skip-phases", []string{string(skipInfrastructurePhase)}, "") cmd.Flags().Duration("timeout", time.Hour, "") return runApply(cmd, args) From 1bea9dda8f83ed6631430a66fbde74f63ff73cd3 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Thu, 26 Oct 2023 19:06:59 +0200 Subject: [PATCH 28/29] patch maa in workflow Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- .../actions/self_managed_create/action.yml | 17 +++++++--- cli/internal/cloudcmd/BUILD.bazel | 6 +--- cli/internal/cloudcmd/clusterupgrade.go | 3 +- cli/internal/cloudcmd/create.go | 3 +- hack/maa-patch/BUILD.bazel | 22 +++++++++++++ hack/maa-patch/main.go | 33 +++++++++++++++++++ hack/maa-patch/main_test.go | 13 ++++++++ internal/maa/BUILD.bazel | 24 ++++++++++++++ internal/maa/maa.go | 9 +++++ .../cloudcmd => internal/maa}/patch.go | 2 +- .../cloudcmd => internal/maa}/patch_test.go | 2 +- 11 files changed, 120 insertions(+), 14 deletions(-) create mode 100644 hack/maa-patch/BUILD.bazel create mode 100644 hack/maa-patch/main.go create mode 100644 hack/maa-patch/main_test.go create mode 100644 internal/maa/BUILD.bazel create mode 100644 internal/maa/maa.go rename {cli/internal/cloudcmd => internal/maa}/patch.go (99%) rename {cli/internal/cloudcmd => internal/maa}/patch_test.go (99%) diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml index 2740f820e8..3b5b4fc54f 100644 --- a/.github/actions/self_managed_create/action.yml +++ b/.github/actions/self_managed_create/action.yml @@ -12,7 +12,7 @@ runs: - name: Copy Terraform configuration and Constellation config shell: bash working-directory: - run : | + run: | cp -r ${{ github.workspace }}/cli/internal/terraform/terraform/${{ inputs.cloudProvider }} ${{ github.workspace }}/e2e-infra cp ${{ github.workspace }}/constellation-conf.yaml ${{ github.workspace }}/e2e-infra @@ -20,13 +20,13 @@ runs: id: get_image shell: bash working-directory: ${{ github.workspace }}/e2e-infra - run : | + run: | echo "image_ref=$(bazel run //hack/image-fetch:image-fetch)" >> $GITHUB_OUTPUT - name: Write Terraform variables shell: bash working-directory: ${{ github.workspace }}/e2e-infra - run : | + run: | echo "name = \"$(yq '.name' constellation-conf.yaml)\"" >> terraform.tfvars echo "debug = $(yq '.debugCluster' constellation-conf.yaml)" >> terraform.tfvars echo "custom_endpoint = \"$(yq '.customEndpoint' constellation-conf.yaml)\"" >> terraform.tfvars @@ -75,14 +75,21 @@ runs: - name: Apply Terraform configuration shell: bash working-directory: ${{ github.workspace }}/e2e-infra - run : | + run: | terraform init terraform apply -auto-approve + - name: Patch MAA Policy + shell: bash + working-directory: ${{ github.workspace }}/e2e-infra + if: ${{ inputs.cloudProvider }} == 'azure' + run: | + bazel run //hack/maa-patch:maa-patch $(terraform output attestationURL | jq -r) + - name: Write outputs to state file shell: bash working-directory: ${{ github.workspace }}/e2e-infra - run : | + run: | yq eval '.version ="v1"' --inplace ${{ github.workspace }}/constellation-state.yaml yq eval ".infrastructure.initSecret =\"$(terraform output initSecret | jq -r | tr -d '\n' | hexdump -ve '/1 "%02x"' && echo '')\"" --inplace ${{ github.workspace }}/constellation-state.yaml yq eval ".infrastructure.clusterEndpoint =\"$(terraform output out_of_cluster_endpoint | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml diff --git a/cli/internal/cloudcmd/BUILD.bazel b/cli/internal/cloudcmd/BUILD.bazel index f2b4dbfb5d..17cc0f1bed 100644 --- a/cli/internal/cloudcmd/BUILD.bazel +++ b/cli/internal/cloudcmd/BUILD.bazel @@ -10,7 +10,6 @@ go_library( "create.go", "iam.go", "iamupgrade.go", - "patch.go", "rollback.go", "serviceaccount.go", "terminate.go", @@ -36,10 +35,8 @@ go_library( "//internal/constants", "//internal/file", "//internal/imagefetcher", + "//internal/maa", "//internal/role", - "@com_github_azure_azure_sdk_for_go//profiles/latest/attestation/attestation", - "@com_github_azure_azure_sdk_for_go_sdk_azcore//policy", - "@com_github_azure_azure_sdk_for_go_sdk_azidentity//:azidentity", "@com_github_spf13_cobra//:cobra", ], ) @@ -51,7 +48,6 @@ go_test( "clusterupgrade_test.go", "create_test.go", "iam_test.go", - "patch_test.go", "rollback_test.go", "terminate_test.go", "tfupgrade_test.go", diff --git a/cli/internal/cloudcmd/clusterupgrade.go b/cli/internal/cloudcmd/clusterupgrade.go index b3c8cd054f..a1ef23be49 100644 --- a/cli/internal/cloudcmd/clusterupgrade.go +++ b/cli/internal/cloudcmd/clusterupgrade.go @@ -18,6 +18,7 @@ import ( "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider" "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/file" + "github.com/edgelesssys/constellation/v2/internal/maa" ) // ClusterUpgrader is responsible for performing Terraform migrations on cluster upgrades. @@ -43,7 +44,7 @@ func NewClusterUpgrader(ctx context.Context, existingWorkspace, upgradeWorkspace return &ClusterUpgrader{ tf: tfClient, - policyPatcher: NewAzurePolicyPatcher(), + policyPatcher: maa.NewAzurePolicyPatcher(), fileHandler: fileHandler, existingWorkspace: existingWorkspace, upgradeWorkspace: upgradeWorkspace, diff --git a/cli/internal/cloudcmd/create.go b/cli/internal/cloudcmd/create.go index 85031a7fcd..8e384c1fcb 100644 --- a/cli/internal/cloudcmd/create.go +++ b/cli/internal/cloudcmd/create.go @@ -25,6 +25,7 @@ import ( "github.com/edgelesssys/constellation/v2/internal/config" "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/imagefetcher" + "github.com/edgelesssys/constellation/v2/internal/maa" ) // Creator creates cloud resources. @@ -51,7 +52,7 @@ func NewCreator(out io.Writer) *Creator { newRawDownloader: func() rawDownloader { return imagefetcher.NewDownloader() }, - policyPatcher: NewAzurePolicyPatcher(), + policyPatcher: maa.NewAzurePolicyPatcher(), } } diff --git a/hack/maa-patch/BUILD.bazel b/hack/maa-patch/BUILD.bazel new file mode 100644 index 0000000000..fdcf3f696a --- /dev/null +++ b/hack/maa-patch/BUILD.bazel @@ -0,0 +1,22 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library") +load("//bazel/go:go_test.bzl", "go_test") + +go_library( + name = "maa-patch_lib", + srcs = ["main.go"], + importpath = "github.com/edgelesssys/constellation/v2/hack/maa-patch", + visibility = ["//visibility:private"], + deps = ["//internal/maa"], +) + +go_binary( + name = "maa-patch", + embed = [":maa-patch_lib"], + visibility = ["//visibility:public"], +) + +go_test( + name = "maa-patch_test", + srcs = ["main_test.go"], + embed = [":maa-patch_lib"], +) diff --git a/hack/maa-patch/main.go b/hack/maa-patch/main.go new file mode 100644 index 0000000000..42fce2876d --- /dev/null +++ b/hack/maa-patch/main.go @@ -0,0 +1,33 @@ +/* +Copyright (c) Edgeless Systems GmbH + +SPDX-License-Identifier: AGPL-3.0-only +*/ +package main + +import ( + "context" + "fmt" + "net/url" + "os" + + "github.com/edgelesssys/constellation/v2/internal/maa" +) + +func main() { + if len(os.Args) != 2 { + fmt.Fprintf(os.Stderr, "Usage: %s \n", os.Args[0]) + os.Exit(1) + } + + attestationURL := os.Args[1] + if _, err := url.Parse(attestationURL); err != nil { + fmt.Fprintf(os.Stderr, "Invalid attestation URL: %s\n", err) + os.Exit(1) + } + + p := maa.NewAzurePolicyPatcher() + if err := p.Patch(context.Background(), attestationURL); err != nil { + panic(err) + } +} diff --git a/hack/maa-patch/main_test.go b/hack/maa-patch/main_test.go new file mode 100644 index 0000000000..fa73af23e8 --- /dev/null +++ b/hack/maa-patch/main_test.go @@ -0,0 +1,13 @@ +/* +Copyright (c) Edgeless Systems GmbH + +SPDX-License-Identifier: AGPL-3.0-only +*/ + +package main + +import "testing" + +func TestNop(t *testing.T) { + t.Skip("This is a nop-test to catch build-time errors in this package.") +} diff --git a/internal/maa/BUILD.bazel b/internal/maa/BUILD.bazel new file mode 100644 index 0000000000..19c2f74f46 --- /dev/null +++ b/internal/maa/BUILD.bazel @@ -0,0 +1,24 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_library") +load("//bazel/go:go_test.bzl", "go_test") + +go_library( + name = "maa", + srcs = [ + "maa.go", + "patch.go", + ], + importpath = "github.com/edgelesssys/constellation/v2/internal/maa", + visibility = ["//:__subpackages__"], + deps = [ + "@com_github_azure_azure_sdk_for_go//profiles/latest/attestation/attestation", + "@com_github_azure_azure_sdk_for_go_sdk_azcore//policy", + "@com_github_azure_azure_sdk_for_go_sdk_azidentity//:azidentity", + ], +) + +go_test( + name = "maa_test", + srcs = ["patch_test.go"], + embed = [":maa"], + deps = ["@com_github_stretchr_testify//assert"], +) diff --git a/internal/maa/maa.go b/internal/maa/maa.go new file mode 100644 index 0000000000..fcbea6db7d --- /dev/null +++ b/internal/maa/maa.go @@ -0,0 +1,9 @@ +/* +Copyright (c) Edgeless Systems GmbH + +SPDX-License-Identifier: AGPL-3.0-only +*/ + +// Package maa provides an interface for interacting with an MAA service +// on an infrastructure level. +package maa diff --git a/cli/internal/cloudcmd/patch.go b/internal/maa/patch.go similarity index 99% rename from cli/internal/cloudcmd/patch.go rename to internal/maa/patch.go index a18138f070..5dfed94350 100644 --- a/cli/internal/cloudcmd/patch.go +++ b/internal/maa/patch.go @@ -3,7 +3,7 @@ Copyright (c) Edgeless Systems GmbH SPDX-License-Identifier: AGPL-3.0-only */ -package cloudcmd +package maa import ( "context" diff --git a/cli/internal/cloudcmd/patch_test.go b/internal/maa/patch_test.go similarity index 99% rename from cli/internal/cloudcmd/patch_test.go rename to internal/maa/patch_test.go index 0e824f3985..f00c30c7ce 100644 --- a/cli/internal/cloudcmd/patch_test.go +++ b/internal/maa/patch_test.go @@ -3,7 +3,7 @@ Copyright (c) Edgeless Systems GmbH SPDX-License-Identifier: AGPL-3.0-only */ -package cloudcmd +package maa import ( "testing" From a660d43084ec6ab8bb1ea9fc8ea17f6227ede38f Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Fri, 27 Oct 2023 08:51:32 +0200 Subject: [PATCH 29/29] default to Constellation-created infra in e2e test --- .github/workflows/e2e-test-manual.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/e2e-test-manual.yml b/.github/workflows/e2e-test-manual.yml index 851d679ad9..a32f5147a5 100644 --- a/.github/workflows/e2e-test-manual.yml +++ b/.github/workflows/e2e-test-manual.yml @@ -260,14 +260,14 @@ jobs: cosignPassword: ${{ secrets.COSIGN_PASSWORD }} cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }} fetchMeasurements: ${{ contains(needs.find-latest-image.outputs.image, '/stream/stable/') }} - selfManagedInfra: "true" + selfManagedInfra: "false" - name: Always terminate cluster if: always() uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - selfManagedInfra: "true" + selfManagedInfra: "false" - name: Always delete IAM configuration if: always()