edgelesssys · burgerdev · Jan 9, 2024 · Dec 14, 2023 · Dec 20, 2023 · Dec 20, 2023
diff --git a/.github/actions/deploy_logcollection/action.yml b/.github/actions/deploy_logcollection/action.yml
@@ -65,7 +65,7 @@ runs:
     - name: Install Helm
       uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
       with:
-        version: latest
+        version: v3.9.0
 
     - name: Deploy Logstash
       id: deploy-logstash

diff --git a/.github/actions/login_gcp/action.yml b/.github/actions/login_gcp/action.yml
@@ -19,8 +19,6 @@ runs:
         echo "GCP_PROJECT=" >> "$GITHUB_ENV"
         echo "GOOGLE_CLOUD_PROJECT=" >> "$GITHUB_ENV"
 
-    # As described at:
-    # https://github.com/google-github-actions/setup-gcloud#service-account-key-json
     - name: Authorize GCP access
       uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
       with:

diff --git a/.github/workflows/on-release.yml b/.github/workflows/on-release.yml
@@ -126,6 +126,4 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Remove temporary branch
-        env:
-          WORKING_BRANCH: ${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}
-        run: git push origin --delete "${WORKING_BRANCH}"
+        run: git push origin --delete "${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}"
diff --git a/.github/workflows/reproducible-builds.yml b/.github/workflows/reproducible-builds.yml
@@ -1,4 +1,11 @@
-# Build Constellation CLI + OS images and check for reproducible builds
+# Verify that Constellation builds are reproducible.
+#
+# The build-* jobs' matrix has two dimensions: a list of targets to build and
+# a list of runners to build on. The produced binaries and OS images are
+# expected to be bit-for-bit identical, regardless of the chosen build runner.
+#
+# The compare-* jobs only have the target dimension. They obtain the built
+# targets from all runners and check that there are no diffs between them.
 name: Reproducible Builds
 
 on:

@@ -114,7 +114,6 @@ func main() {
 		)
 		openDevice = vtpm.OpenVTPM
 		fs = afero.NewOsFs()
-		log.Infof("Added load balancer IP to routing table")
 
 	case cloudprovider.Azure:
 		metadata, err := azurecloud.New(ctx)

diff --git a/cli/internal/cmd/configfetchmeasurements.go b/cli/internal/cmd/configfetchmeasurements.go
@@ -153,7 +153,7 @@ func (cfm *configFetchMeasurementsCmd) configFetchMeasurements(
 			return fmt.Errorf("fetching and verifying measurements: %w", err)
 		}
 	}
-	cfm.log.Debugf("Measurements:\n", fetchedMeasurements)
+	cfm.log.Debugf("Measurements: %#v\n", fetchedMeasurements)
 
 	cfm.log.Debugf("Updating measurements in configuration")
 	conf.UpdateMeasurements(fetchedMeasurements)

@@ -7,6 +7,7 @@ go_library(
     visibility = ["//visibility:private"],
     deps = [
         "//internal/api/versionsapi",
+        "//internal/constants",
         "//internal/logger",
         "//internal/versions",
         "@org_uber_go_zap//zapcore",

@@ -12,6 +12,7 @@ import (
 	"flag"
 
 	"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
+	"github.com/edgelesssys/constellation/v2/internal/constants"
 	"github.com/edgelesssys/constellation/v2/internal/logger"
 	"github.com/edgelesssys/constellation/v2/internal/versions"
 	"go.uber.org/zap/zapcore"
@@ -49,7 +50,7 @@ func main() {
 		cliInfo.Kubernetes = append(cliInfo.Kubernetes, v.ClusterVersion)
 	}
 
-	c, cclose, err := versionsapi.NewClient(ctx, "eu-central-1", "cdn-constellation-backend", "E1H77EZTHC3NE4", false, log)
+	c, cclose, err := versionsapi.NewClient(ctx, "eu-central-1", "cdn-constellation-backend", constants.CDNDefaultDistributionID, false, log)
 	if err != nil {
 		log.Fatalf("creating s3 client: %w", err)
 	}

@@ -27,6 +27,7 @@ go_library(
         "//internal/api/versionsapi",
         "//internal/attestation/measurements",
         "//internal/cloud/cloudprovider",
+        "//internal/constants",
         "//internal/logger",
         "//internal/osimage",
         "//internal/osimage/archive",

@@ -9,6 +9,7 @@ package cmd
 import (
 	"os"
 
+	"github.com/edgelesssys/constellation/v2/internal/constants"
 	"github.com/spf13/cobra"
 )
 
@@ -32,7 +33,7 @@ func NewImageCmd() *cobra.Command {
 	cmd.PersistentFlags().String("timestamp", "", "Optional timestamp to use for resource names. Uses format 2006-01-02T15:04:05Z07:00.")
 	cmd.PersistentFlags().String("region", "eu-central-1", "AWS region of the archive S3 bucket")
 	cmd.PersistentFlags().String("bucket", "cdn-constellation-backend", "S3 bucket name of the archive")
-	cmd.PersistentFlags().String("distribution-id", "E1H77EZTHC3NE4", "CloudFront distribution ID of the API")
+	cmd.PersistentFlags().String("distribution-id", constants.CDNDefaultDistributionID, "CloudFront distribution ID of the API")
 	cmd.PersistentFlags().String("out", "", "Optional path to write the upload result to. If not set, the result is written to stdout.")
 	cmd.PersistentFlags().Bool("verbose", false, "Enable verbose output")
 	must(cmd.MarkPersistentFlagRequired("raw-image"))

@@ -12,6 +12,7 @@ import (
 	"os"
 
 	"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
+	"github.com/edgelesssys/constellation/v2/internal/constants"
 	"github.com/edgelesssys/constellation/v2/internal/logger"
 	infoupload "github.com/edgelesssys/constellation/v2/internal/osimage/imageinfo"
 	"github.com/spf13/cobra"
@@ -31,7 +32,7 @@ func NewInfoCmd() *cobra.Command {
 
 	cmd.Flags().String("region", "eu-central-1", "AWS region of the archive S3 bucket")
 	cmd.Flags().String("bucket", "cdn-constellation-backend", "S3 bucket name of the archive")
-	cmd.Flags().String("distribution-id", "E1H77EZTHC3NE4", "CloudFront distribution ID of the API")
+	cmd.Flags().String("distribution-id", constants.CDNDefaultDistributionID, "CloudFront distribution ID of the API")
 	cmd.Flags().Bool("verbose", false, "Enable verbose output")
 
 	return cmd

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/edgelesssys/constellation/v2/internal/constants"
 	"github.com/edgelesssys/constellation/v2/internal/logger"
 	"github.com/edgelesssys/constellation/v2/internal/osimage/measurementsuploader"
 	"github.com/spf13/cobra"
@@ -31,7 +32,7 @@ func newMeasurementsUploadCmd() *cobra.Command {
 	cmd.Flags().String("signature", "", "Path to signature file to upload")
 	cmd.Flags().String("region", "eu-central-1", "AWS region of the archive S3 bucket")
 	cmd.Flags().String("bucket", "cdn-constellation-backend", "S3 bucket name of the archive")
-	cmd.Flags().String("distribution-id", "E1H77EZTHC3NE4", "CloudFront distribution ID of the API")
+	cmd.Flags().String("distribution-id", constants.CDNDefaultDistributionID, "CloudFront distribution ID of the API")
 	cmd.Flags().Bool("verbose", false, "Enable verbose output")
 
 	must(cmd.MarkFlagRequired("measurements"))

@@ -94,7 +94,7 @@ func runList(cmd *cobra.Command, _ []string) (retErr error) {
 		for _, v := range patchVersions {
 			vers = append(vers, v.Version())
 		}
-		raw, err := json.Marshal(vers)
+		raw, err := json.MarshalIndent(vers, "", "  ")
 		if err != nil {
 			return fmt.Errorf("marshaling versions: %w", err)
 		}

@@ -11,6 +11,7 @@ go_library(
         "//internal/attestation/measurements",
         "//internal/attestation/variant",
         "//internal/cloud/cloudprovider",
+        "//internal/constants",
         "//internal/sigstore",
         "//internal/sigstore/keyselect",
         "@org_golang_x_tools//go/ast/astutil",

@@ -27,6 +27,7 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
+	"github.com/edgelesssys/constellation/v2/internal/constants"
 	"github.com/edgelesssys/constellation/v2/internal/sigstore"
 	"github.com/edgelesssys/constellation/v2/internal/sigstore/keyselect"
 	"golang.org/x/tools/go/ast/astutil"
@@ -109,11 +110,11 @@ func main() {
 
 // mustGetMeasurements fetches the measurements for the given image and CSP and verifies them.
 func mustGetMeasurements(ctx context.Context, verifier rekorVerifier, provider cloudprovider.Provider, attestationVariant variant.Variant, image string) measurements.M {
-	measurementsURL, err := measurementURL(image, "measurements.json")
+	measurementsURL, err := measurementURL(image, constants.CDNMeasurementsFile)
 	if err != nil {
 		panic(err)
 	}
-	signatureURL, err := measurementURL(image, "measurements.json.sig")
+	signatureURL, err := measurementURL(image, constants.CDNMeasurementsSignature)
 	if err != nil {
 		panic(err)
 	}

@@ -8,7 +8,7 @@ echo "Pulling cert-manager Helm chart..."
 version="1.12.6"
 
 function cleanup {
-  rm -r "charts/cert-manager/README.md" "charts/cert-manager-v${version}.tgz"
+  rm -rf "charts/cert-manager/README.md" "charts/cert-manager-v${version}.tgz"
 }
 
 trap cleanup EXIT

@@ -7,7 +7,7 @@ shopt -s inherit_errexit
 echo "Pulling Cilium Helm chart..."
 
 function cleanup {
-  rm -r "${ciliumTmpDir}"
+  rm -rf -- "${ciliumTmpDir}"
 }
 
 trap cleanup EXIT

@@ -27,9 +27,6 @@ fi
 #   $3: path to the Helm chart in the git repo
 #   $4: name of the Helm chart
 download_chart() {
-  cleanup() {
-    rm -r "${repo_tmp_dir}"
-  }
   chart_url=$1
   branch=$2
   chart_dir=$3
@@ -55,19 +52,19 @@ download_chart() {
   cd "${callDir}"
 
   # remove old chart
-  rm -r "${chart_base_path:?}/${chart_name}"
+  rm -rf -- "${chart_base_path:?}/${chart_name}"
 
   # move new chart
   mkdir -p "${chart_base_path}/${chart_name}"
   cp -r "${repo_tmp_dir}/${chart_dir}"/* "${chart_base_path}/${chart_name}"
 
+  rm -r -- "${repo_tmp_dir}"
+
   # get new version from Chart.yaml
   new_version=$(yq '.version' "${chart_base_path}/${chart_name}/Chart.yaml")
 
   # update dependency version in parent Chart.yaml
   yq -i "(.dependencies[] | select( .name== \"${chart_name}\").version) = \"${new_version}\"" "${csi_chart_path}/Chart.yaml"
-
-  return
 }
 
 ## AWS CSI Driver

@@ -84,11 +84,11 @@ func (a *Uploader) Upload(ctx context.Context, rawMeasurement, signature io.Read
 	if err != nil {
 		return "", "", fmt.Errorf("creating version: %w", err)
 	}
-	key, err := url.JoinPath(ver.ArtifactPath(versionsapi.APIV2), ver.Kind().String(), "measurements.json")
+	key, err := url.JoinPath(ver.ArtifactPath(versionsapi.APIV2), ver.Kind().String(), constants.CDNMeasurementsFile)
 	if err != nil {
 		return "", "", err
 	}
-	sigKey, err := url.JoinPath(ver.ArtifactPath(versionsapi.APIV2), ver.Kind().String(), "measurements.json.sig")
+	sigKey, err := url.JoinPath(ver.ArtifactPath(versionsapi.APIV2), ver.Kind().String(), constants.CDNMeasurementsSignature)
 	if err != nil {
 		return "", "", err
 	}