diff --git a/.github/actions/deploy_logcollection/action.yml b/.github/actions/deploy_logcollection/action.yml index 942ef56e4a..8bafa9ed23 100644 --- a/.github/actions/deploy_logcollection/action.yml +++ b/.github/actions/deploy_logcollection/action.yml @@ -65,7 +65,7 @@ runs: - name: Install Helm uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 with: - version: latest + version: v3.9.0 - name: Deploy Logstash id: deploy-logstash diff --git a/.github/actions/login_gcp/action.yml b/.github/actions/login_gcp/action.yml index 4a05a03b79..5c40696063 100644 --- a/.github/actions/login_gcp/action.yml +++ b/.github/actions/login_gcp/action.yml @@ -19,8 +19,6 @@ runs: echo "GCP_PROJECT=" >> "$GITHUB_ENV" echo "GOOGLE_CLOUD_PROJECT=" >> "$GITHUB_ENV" - # As described at: - # https://github.com/google-github-actions/setup-gcloud#service-account-key-json - name: Authorize GCP access uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1 with: diff --git a/.github/workflows/on-release.yml b/.github/workflows/on-release.yml index b0f43ff7a9..98192e5b65 100644 --- a/.github/workflows/on-release.yml +++ b/.github/workflows/on-release.yml @@ -126,6 +126,4 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Remove temporary branch - env: - WORKING_BRANCH: ${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}} - run: git push origin --delete "${WORKING_BRANCH}" + run: git push origin --delete "${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}" diff --git a/.github/workflows/reproducible-builds.yml b/.github/workflows/reproducible-builds.yml index 033b79542f..a7a675e65d 100644 --- a/.github/workflows/reproducible-builds.yml +++ b/.github/workflows/reproducible-builds.yml @@ -1,4 +1,11 @@ -# Build Constellation CLI + OS images and check for reproducible builds +# Verify that Constellation builds are reproducible. +# +# The build-* jobs' matrix has two dimensions: a list of targets to build and +# a list of runners to build on. The produced binaries and OS images are +# expected to be bit-for-bit identical, regardless of the chosen build runner. +# +# The compare-* jobs only have the target dimension. They obtain the built +# targets from all runners and check that there are no diffs between them. name: Reproducible Builds on: diff --git a/bootstrapper/cmd/bootstrapper/main.go b/bootstrapper/cmd/bootstrapper/main.go index f2f6008239..670b063b66 100644 --- a/bootstrapper/cmd/bootstrapper/main.go +++ b/bootstrapper/cmd/bootstrapper/main.go @@ -114,7 +114,6 @@ func main() { ) openDevice = vtpm.OpenVTPM fs = afero.NewOsFs() - log.Infof("Added load balancer IP to routing table") case cloudprovider.Azure: metadata, err := azurecloud.New(ctx) diff --git a/cli/internal/cmd/configfetchmeasurements.go b/cli/internal/cmd/configfetchmeasurements.go index 14dd11c874..aaa5b1cf06 100644 --- a/cli/internal/cmd/configfetchmeasurements.go +++ b/cli/internal/cmd/configfetchmeasurements.go @@ -153,7 +153,7 @@ func (cfm *configFetchMeasurementsCmd) configFetchMeasurements( return fmt.Errorf("fetching and verifying measurements: %w", err) } } - cfm.log.Debugf("Measurements:\n", fetchedMeasurements) + cfm.log.Debugf("Measurements: %#v\n", fetchedMeasurements) cfm.log.Debugf("Updating measurements in configuration") conf.UpdateMeasurements(fetchedMeasurements) diff --git a/hack/cli-k8s-compatibility/BUILD.bazel b/hack/cli-k8s-compatibility/BUILD.bazel index 8ea67b87da..d31d56b7de 100644 --- a/hack/cli-k8s-compatibility/BUILD.bazel +++ b/hack/cli-k8s-compatibility/BUILD.bazel @@ -7,6 +7,7 @@ go_library( visibility = ["//visibility:private"], deps = [ "//internal/api/versionsapi", + "//internal/constants", "//internal/logger", "//internal/versions", "@org_uber_go_zap//zapcore", diff --git a/hack/cli-k8s-compatibility/main.go b/hack/cli-k8s-compatibility/main.go index 1f58209a32..616c6fd984 100644 --- a/hack/cli-k8s-compatibility/main.go +++ b/hack/cli-k8s-compatibility/main.go @@ -12,6 +12,7 @@ import ( "flag" "github.com/edgelesssys/constellation/v2/internal/api/versionsapi" + "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/logger" "github.com/edgelesssys/constellation/v2/internal/versions" "go.uber.org/zap/zapcore" @@ -49,7 +50,7 @@ func main() { cliInfo.Kubernetes = append(cliInfo.Kubernetes, v.ClusterVersion) } - c, cclose, err := versionsapi.NewClient(ctx, "eu-central-1", "cdn-constellation-backend", "E1H77EZTHC3NE4", false, log) + c, cclose, err := versionsapi.NewClient(ctx, "eu-central-1", "cdn-constellation-backend", constants.CDNDefaultDistributionID, false, log) if err != nil { log.Fatalf("creating s3 client: %w", err) } diff --git a/image/upload/internal/cmd/BUILD.bazel b/image/upload/internal/cmd/BUILD.bazel index e89acc665d..0717cab0e4 100644 --- a/image/upload/internal/cmd/BUILD.bazel +++ b/image/upload/internal/cmd/BUILD.bazel @@ -27,6 +27,7 @@ go_library( "//internal/api/versionsapi", "//internal/attestation/measurements", "//internal/cloud/cloudprovider", + "//internal/constants", "//internal/logger", "//internal/osimage", "//internal/osimage/archive", diff --git a/image/upload/internal/cmd/image.go b/image/upload/internal/cmd/image.go index 0f4e94e4ce..048ef4e6f9 100644 --- a/image/upload/internal/cmd/image.go +++ b/image/upload/internal/cmd/image.go @@ -9,6 +9,7 @@ package cmd import ( "os" + "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/spf13/cobra" ) @@ -32,7 +33,7 @@ func NewImageCmd() *cobra.Command { cmd.PersistentFlags().String("timestamp", "", "Optional timestamp to use for resource names. Uses format 2006-01-02T15:04:05Z07:00.") cmd.PersistentFlags().String("region", "eu-central-1", "AWS region of the archive S3 bucket") cmd.PersistentFlags().String("bucket", "cdn-constellation-backend", "S3 bucket name of the archive") - cmd.PersistentFlags().String("distribution-id", "E1H77EZTHC3NE4", "CloudFront distribution ID of the API") + cmd.PersistentFlags().String("distribution-id", constants.CDNDefaultDistributionID, "CloudFront distribution ID of the API") cmd.PersistentFlags().String("out", "", "Optional path to write the upload result to. If not set, the result is written to stdout.") cmd.PersistentFlags().Bool("verbose", false, "Enable verbose output") must(cmd.MarkPersistentFlagRequired("raw-image")) diff --git a/image/upload/internal/cmd/info.go b/image/upload/internal/cmd/info.go index 51ba533ccc..c837c6a03e 100644 --- a/image/upload/internal/cmd/info.go +++ b/image/upload/internal/cmd/info.go @@ -12,6 +12,7 @@ import ( "os" "github.com/edgelesssys/constellation/v2/internal/api/versionsapi" + "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/logger" infoupload "github.com/edgelesssys/constellation/v2/internal/osimage/imageinfo" "github.com/spf13/cobra" @@ -31,7 +32,7 @@ func NewInfoCmd() *cobra.Command { cmd.Flags().String("region", "eu-central-1", "AWS region of the archive S3 bucket") cmd.Flags().String("bucket", "cdn-constellation-backend", "S3 bucket name of the archive") - cmd.Flags().String("distribution-id", "E1H77EZTHC3NE4", "CloudFront distribution ID of the API") + cmd.Flags().String("distribution-id", constants.CDNDefaultDistributionID, "CloudFront distribution ID of the API") cmd.Flags().Bool("verbose", false, "Enable verbose output") return cmd diff --git a/image/upload/internal/cmd/measurementsupload.go b/image/upload/internal/cmd/measurementsupload.go index 4398a0dfc9..e266fda3f5 100644 --- a/image/upload/internal/cmd/measurementsupload.go +++ b/image/upload/internal/cmd/measurementsupload.go @@ -10,6 +10,7 @@ import ( "fmt" "os" + "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/logger" "github.com/edgelesssys/constellation/v2/internal/osimage/measurementsuploader" "github.com/spf13/cobra" @@ -31,7 +32,7 @@ func newMeasurementsUploadCmd() *cobra.Command { cmd.Flags().String("signature", "", "Path to signature file to upload") cmd.Flags().String("region", "eu-central-1", "AWS region of the archive S3 bucket") cmd.Flags().String("bucket", "cdn-constellation-backend", "S3 bucket name of the archive") - cmd.Flags().String("distribution-id", "E1H77EZTHC3NE4", "CloudFront distribution ID of the API") + cmd.Flags().String("distribution-id", constants.CDNDefaultDistributionID, "CloudFront distribution ID of the API") cmd.Flags().Bool("verbose", false, "Enable verbose output") must(cmd.MarkFlagRequired("measurements")) diff --git a/internal/api/versionsapi/cli/list.go b/internal/api/versionsapi/cli/list.go index 152d0c5f7c..f158d6d3c8 100644 --- a/internal/api/versionsapi/cli/list.go +++ b/internal/api/versionsapi/cli/list.go @@ -94,7 +94,7 @@ func runList(cmd *cobra.Command, _ []string) (retErr error) { for _, v := range patchVersions { vers = append(vers, v.Version()) } - raw, err := json.Marshal(vers) + raw, err := json.MarshalIndent(vers, "", " ") if err != nil { return fmt.Errorf("marshaling versions: %w", err) } diff --git a/internal/attestation/measurements/measurement-generator/BUILD.bazel b/internal/attestation/measurements/measurement-generator/BUILD.bazel index 35e8c82591..a678991e9a 100644 --- a/internal/attestation/measurements/measurement-generator/BUILD.bazel +++ b/internal/attestation/measurements/measurement-generator/BUILD.bazel @@ -11,6 +11,7 @@ go_library( "//internal/attestation/measurements", "//internal/attestation/variant", "//internal/cloud/cloudprovider", + "//internal/constants", "//internal/sigstore", "//internal/sigstore/keyselect", "@org_golang_x_tools//go/ast/astutil", diff --git a/internal/attestation/measurements/measurement-generator/generate.go b/internal/attestation/measurements/measurement-generator/generate.go index 0050760add..bb5bbc7e58 100644 --- a/internal/attestation/measurements/measurement-generator/generate.go +++ b/internal/attestation/measurements/measurement-generator/generate.go @@ -27,6 +27,7 @@ import ( "github.com/edgelesssys/constellation/v2/internal/attestation/measurements" "github.com/edgelesssys/constellation/v2/internal/attestation/variant" "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider" + "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/sigstore" "github.com/edgelesssys/constellation/v2/internal/sigstore/keyselect" "golang.org/x/tools/go/ast/astutil" @@ -109,11 +110,11 @@ func main() { // mustGetMeasurements fetches the measurements for the given image and CSP and verifies them. func mustGetMeasurements(ctx context.Context, verifier rekorVerifier, provider cloudprovider.Provider, attestationVariant variant.Variant, image string) measurements.M { - measurementsURL, err := measurementURL(image, "measurements.json") + measurementsURL, err := measurementURL(image, constants.CDNMeasurementsFile) if err != nil { panic(err) } - signatureURL, err := measurementURL(image, "measurements.json.sig") + signatureURL, err := measurementURL(image, constants.CDNMeasurementsSignature) if err != nil { panic(err) } diff --git a/internal/constellation/helm/generateCertManager.sh b/internal/constellation/helm/generateCertManager.sh index 85cc9e6725..02b98676e4 100755 --- a/internal/constellation/helm/generateCertManager.sh +++ b/internal/constellation/helm/generateCertManager.sh @@ -8,7 +8,7 @@ echo "Pulling cert-manager Helm chart..." version="1.12.6" function cleanup { - rm -r "charts/cert-manager/README.md" "charts/cert-manager-v${version}.tgz" + rm -rf "charts/cert-manager/README.md" "charts/cert-manager-v${version}.tgz" } trap cleanup EXIT diff --git a/internal/constellation/helm/generateCilium.sh b/internal/constellation/helm/generateCilium.sh index 9f2ac1e12d..9a1f42921d 100755 --- a/internal/constellation/helm/generateCilium.sh +++ b/internal/constellation/helm/generateCilium.sh @@ -7,7 +7,7 @@ shopt -s inherit_errexit echo "Pulling Cilium Helm chart..." function cleanup { - rm -r "${ciliumTmpDir}" + rm -rf -- "${ciliumTmpDir}" } trap cleanup EXIT diff --git a/internal/constellation/helm/update-csi-charts.sh b/internal/constellation/helm/update-csi-charts.sh index 9c2e70531b..36ddd7dcdc 100755 --- a/internal/constellation/helm/update-csi-charts.sh +++ b/internal/constellation/helm/update-csi-charts.sh @@ -27,9 +27,6 @@ fi # $3: path to the Helm chart in the git repo # $4: name of the Helm chart download_chart() { - cleanup() { - rm -r "${repo_tmp_dir}" - } chart_url=$1 branch=$2 chart_dir=$3 @@ -55,19 +52,19 @@ download_chart() { cd "${callDir}" # remove old chart - rm -r "${chart_base_path:?}/${chart_name}" + rm -rf -- "${chart_base_path:?}/${chart_name}" # move new chart mkdir -p "${chart_base_path}/${chart_name}" cp -r "${repo_tmp_dir}/${chart_dir}"/* "${chart_base_path}/${chart_name}" + rm -r -- "${repo_tmp_dir}" + # get new version from Chart.yaml new_version=$(yq '.version' "${chart_base_path}/${chart_name}/Chart.yaml") # update dependency version in parent Chart.yaml yq -i "(.dependencies[] | select( .name== \"${chart_name}\").version) = \"${new_version}\"" "${csi_chart_path}/Chart.yaml" - - return } ## AWS CSI Driver diff --git a/internal/osimage/measurementsuploader/measurementsuploader.go b/internal/osimage/measurementsuploader/measurementsuploader.go index 7e98a41b20..ab2bcce7bd 100644 --- a/internal/osimage/measurementsuploader/measurementsuploader.go +++ b/internal/osimage/measurementsuploader/measurementsuploader.go @@ -84,11 +84,11 @@ func (a *Uploader) Upload(ctx context.Context, rawMeasurement, signature io.Read if err != nil { return "", "", fmt.Errorf("creating version: %w", err) } - key, err := url.JoinPath(ver.ArtifactPath(versionsapi.APIV2), ver.Kind().String(), "measurements.json") + key, err := url.JoinPath(ver.ArtifactPath(versionsapi.APIV2), ver.Kind().String(), constants.CDNMeasurementsFile) if err != nil { return "", "", err } - sigKey, err := url.JoinPath(ver.ArtifactPath(versionsapi.APIV2), ver.Kind().String(), "measurements.json.sig") + sigKey, err := url.JoinPath(ver.ArtifactPath(versionsapi.APIV2), ver.Kind().String(), constants.CDNMeasurementsSignature) if err != nil { return "", "", err }