From 31cca4022e498d0dfd288bc5f3b1ac92e6ecd46f Mon Sep 17 00:00:00 2001 From: miampf Date: Fri, 27 Sep 2024 16:16:25 +0200 Subject: [PATCH 01/34] first structure of test --- e2e/aks-runtime/aks_runtime_test.go | 120 ++++++++++++++++++++++ e2e/internal/contrasttest/contrasttest.go | 4 +- packages/by-name/contrast/package.nix | 1 + 3 files changed, 123 insertions(+), 2 deletions(-) create mode 100644 e2e/aks-runtime/aks_runtime_test.go diff --git a/e2e/aks-runtime/aks_runtime_test.go b/e2e/aks-runtime/aks_runtime_test.go new file mode 100644 index 0000000000..3b342ae322 --- /dev/null +++ b/e2e/aks-runtime/aks_runtime_test.go @@ -0,0 +1,120 @@ +// Copyright 2024 Edgeless Systems GmbH +// SPDX-License-Identifier: AGPL-3.0-only + +//go:build e2e + +package aksruntime + +import ( + "bytes" + "context" + "flag" + "io" + "os" + "path" + "testing" + "time" + + "github.com/edgelesssys/contrast/cli/cmd" + "github.com/edgelesssys/contrast/e2e/internal/contrasttest" + "github.com/edgelesssys/contrast/e2e/internal/kubeclient" + "github.com/edgelesssys/contrast/internal/kubeapi" + "github.com/edgelesssys/contrast/internal/kuberesource" + "github.com/edgelesssys/contrast/internal/platforms" + "github.com/stretchr/testify/require" +) + +const ( + opensslFrontend = "openssl-frontend" + opensslBackend = "openssl-backend" +) + +var ( + imageReplacementsFile, namespaceFile, platformStr string + skipUndeploy bool +) + +func TestAKSRuntime(t *testing.T) { + // TODO: Log kata information + require := require.New(t) + + workdir := t.TempDir() + + f, err := os.Open(imageReplacementsFile) + require.NoError(err) + imageReplacements, err := kuberesource.ImageReplacementsFromFile(f) + require.NoError(err) + namespace := contrasttest.MakeNamespace(t) + + c := kubeclient.NewForTest(t) + + // create the namespace + ns, err := kuberesource.ResourcesToUnstructured([]any{kuberesource.Namespace(namespace)}) + require.NoError(err) + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) + err = c.Apply(ctx, ns...) + cancel() + require.NoError(err) + if namespaceFile != "" { + require.NoError(os.WriteFile(namespaceFile, []byte(namespace), 0o644)) + } + + // define resources + resources := kuberesource.OpenSSL() + // TODO: check if this can be removed since they are overwritten later + resources = kuberesource.PatchRuntimeHandlers(resources, "kata-cc-isolation") + resources = kuberesource.PatchNamespaces(resources, namespace) + resources = kuberesource.PatchImages(resources, imageReplacements) + + toWrite, err := kuberesource.ResourcesToUnstructured(resources) + require.NoError(err) + + t.Log("generating policies...") + // generate policies + resourceBytes, err := kuberesource.EncodeUnstructured(toWrite) + require.NoError(err) + require.NoError(os.WriteFile(path.Join(workdir, "resources.yaml"), resourceBytes, 0o644)) + + platform, err := platforms.FromString(platformStr) + require.NoError(err) + args := []string{ + "--image-replacements", imageReplacementsFile, + "--reference-values", platform.String(), + path.Join(workdir, "resources.yaml"), + } + + generate := cmd.NewGenerateCmd() + generate.Flags().String("workspace-dir", "", "") // Make generate aware of root flags + generate.Flags().String("log-level", "debug", "") + generate.SetArgs(args) + generate.SetOut(io.Discard) + errBuf := &bytes.Buffer{} + generate.SetErr(errBuf) + + // load in generated resources and patch the runtime handler again + resourceBytes, err = os.ReadFile(path.Join(workdir, "resources.yaml")) + require.NoError(err) + toApply, err := kubeapi.UnmarshalUnstructuredK8SResource(resourceBytes) + require.NoError(err) + t.Logf("%#v", toApply) + + t.Log("policies generated!") + + ctx, cancel = context.WithTimeout(context.Background(), 3*time.Minute) + defer cancel() + err = c.Apply(ctx, toApply...) + require.NoError(err) + require.NoError(c.WaitFor(ctx, kubeclient.Ready, kubeclient.Deployment{}, namespace, opensslBackend)) + require.NoError(c.WaitFor(ctx, kubeclient.Ready, kubeclient.Deployment{}, namespace, opensslFrontend)) + c.LogDebugInfo(context.Background()) +} + +func TestMain(m *testing.M) { + flag.StringVar(&imageReplacementsFile, "image-replacements", "", "path to image replacements file") + flag.StringVar(&namespaceFile, "namespace-file", "", "file to store the namespace in") + flag.StringVar(&platformStr, "platform", "", "Deployment platform") + flag.BoolVar(&skipUndeploy, "skip-undeploy", false, "skip undeploy step in the test") + flag.Parse() + + os.Exit(m.Run()) +} diff --git a/e2e/internal/contrasttest/contrasttest.go b/e2e/internal/contrasttest/contrasttest.go index 2718f58fc0..1cb2b72e23 100644 --- a/e2e/internal/contrasttest/contrasttest.go +++ b/e2e/internal/contrasttest/contrasttest.go @@ -52,7 +52,7 @@ type ContrastTest struct { // New creates a new contrasttest.T object bound to the given test. func New(t *testing.T, imageReplacements, namespaceFile string, platform platforms.Platform, skipUndeploy bool) *ContrastTest { return &ContrastTest{ - Namespace: makeNamespace(t), + Namespace: MakeNamespace(t), WorkDir: t.TempDir(), ImageReplacementsFile: imageReplacements, Platform: platform, @@ -372,7 +372,7 @@ func (ct *ContrastTest) FactorPlatformTimeout(timeout time.Duration) time.Durati } } -func makeNamespace(t *testing.T) string { +func MakeNamespace(t *testing.T) string { buf := make([]byte, 4) re := regexp.MustCompile("[a-z0-9-]+") n, err := rand.Reader.Read(buf) diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix index 1326394eaa..a4ce7ba466 100644 --- a/packages/by-name/contrast/package.nix +++ b/packages/by-name/contrast/package.nix @@ -38,6 +38,7 @@ let "e2e/workloadsecret" "e2e/volumestatefulset" "e2e/regression" + "e2e/aks-runtime" ]; }; From 6bf38d42c374c8ba482f1c1123876f46590c9a48 Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 15 Oct 2024 12:08:50 +0200 Subject: [PATCH 02/34] add confcom over overlay --- flake.nix | 4 +++ overlays/nixpkgs.nix | 60 ++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 62 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index bf61d2b5e2..d22f74496c 100644 --- a/flake.nix +++ b/flake.nix @@ -31,6 +31,10 @@ overlays = [ (import ./overlays/nixpkgs.nix) ]; config.allowUnfree = true; config.nvidia.acceptLicense = true; + # TODO(miampf): REMOVE AGAIN ONCE UNNEEDED + config.permittedInsecurePackages = [ + "openssl-1.1.1w" + ]; }; inherit (pkgs) lib; treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix; diff --git a/overlays/nixpkgs.nix b/overlays/nixpkgs.nix index 84db71bc97..b50918cad9 100644 --- a/overlays/nixpkgs.nix +++ b/overlays/nixpkgs.nix @@ -1,7 +1,60 @@ # Copyright 2024 Edgeless Systems GmbH # SPDX-License-Identifier: AGPL-3.0-only -final: prev: { +final: prev: +let + # Builder for Azure CLI extensions. Extensions are Python wheels that + # outside of nix would be fetched by the CLI itself from various sources. + mkAzExtension = + { + pname, + url, + sha256, + description, + ... + }@args: + prev.python3.pkgs.buildPythonPackage ( + { + format = "wheel"; + src = prev.fetchurl { inherit url sha256; }; + meta = { + inherit description; + inherit (prev.azure-cli.meta) platforms maintainers; + homepage = "https://github.com/Azure/azure-cli-extensions"; + changelog = "https://github.com/Azure/azure-cli-extensions/blob/main/src/${pname}/HISTORY.rst"; + license = prev.lib.licenses.mit; + sourceProvenance = [ prev.lib.sourceTypes.fromSource ]; + } // args.meta or { }; + } + // (removeAttrs args [ + "url" + "sha256" + "description" + "meta" + ]) + ); + + confcom = mkAzExtension rec { + pname = "confcom"; + version = "1.0.0"; + url = "https://azcliprod.blob.core.windows.net/cli-extensions/confcom-${version}-py3-none-any.whl"; + sha256 = "73823e10958a114b4aca84c330b4debcc650c4635e74c568679b6c32c356411d"; + description = "Microsoft Azure Command-Line Tools Confidential Container Security Policy Generator Extension"; + nativeBuildInputs = [ prev.autoPatchelfHook ]; + buildInputs = [ prev.openssl_1_1 ]; + propagatedBuildInputs = with prev.python3Packages; [ + pyyaml + deepdiff + docker + tqdm + ]; + postInstall = '' + chmod +x $out/${prev.python3.sitePackages}/azext_confcom/bin/genpolicy-linux + ''; + meta.maintainers = with prev.lib.maintainers; [ miampf ]; + }; +in +{ # Use when a version of Go is needed that is not available in the nixpkgs yet. # go_1_xx = prev.go_1_xx.overrideAttrs (finalAttrs: _prevAttrs: { # version = ""; @@ -13,7 +66,10 @@ final: prev: { # Add the required extensions to the Azure CLI. azure-cli = prev.azure-cli.override { - withExtensions = with final.azure-cli.extensions; [ aks-preview ]; + withExtensions = with final.azure-cli.extensions; [ + aks-preview + confcom + ]; }; # Use a newer uplosi that has fixes for private galleries. From 98f537f3be2fcde9cef72c301d88bb9d1c731fcd Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 15 Oct 2024 12:23:29 +0200 Subject: [PATCH 03/34] write internal `az` package --- e2e/aks-runtime/aks_runtime_test.go | 39 +++++++++++++-------------- e2e/internal/az/aks.go | 29 ++++++++++++++++++++ e2e/internal/az/confcom.go | 23 ++++++++++++++++ packages/by-name/contrast/package.nix | 15 ++++++++++- 4 files changed, 85 insertions(+), 21 deletions(-) create mode 100644 e2e/internal/az/aks.go create mode 100644 e2e/internal/az/confcom.go diff --git a/e2e/aks-runtime/aks_runtime_test.go b/e2e/aks-runtime/aks_runtime_test.go index 3b342ae322..67bef9d22e 100644 --- a/e2e/aks-runtime/aks_runtime_test.go +++ b/e2e/aks-runtime/aks_runtime_test.go @@ -6,21 +6,18 @@ package aksruntime import ( - "bytes" "context" "flag" - "io" "os" "path" "testing" "time" - "github.com/edgelesssys/contrast/cli/cmd" + "github.com/edgelesssys/contrast/e2e/internal/confcom" "github.com/edgelesssys/contrast/e2e/internal/contrasttest" "github.com/edgelesssys/contrast/e2e/internal/kubeclient" "github.com/edgelesssys/contrast/internal/kubeapi" "github.com/edgelesssys/contrast/internal/kuberesource" - "github.com/edgelesssys/contrast/internal/platforms" "github.com/stretchr/testify/require" ) @@ -74,22 +71,24 @@ func TestAKSRuntime(t *testing.T) { resourceBytes, err := kuberesource.EncodeUnstructured(toWrite) require.NoError(err) require.NoError(os.WriteFile(path.Join(workdir, "resources.yaml"), resourceBytes, 0o644)) - - platform, err := platforms.FromString(platformStr) - require.NoError(err) - args := []string{ - "--image-replacements", imageReplacementsFile, - "--reference-values", platform.String(), - path.Join(workdir, "resources.yaml"), - } - - generate := cmd.NewGenerateCmd() - generate.Flags().String("workspace-dir", "", "") // Make generate aware of root flags - generate.Flags().String("log-level", "debug", "") - generate.SetArgs(args) - generate.SetOut(io.Discard) - errBuf := &bytes.Buffer{} - generate.SetErr(errBuf) + require.NoError(confcom.KataPolicyGen(t, path.Join(workdir, "resources.yaml"))) + + // + // platform, err := platforms.FromString(platformStr) + // require.NoError(err) + // args := []string{ + // "--image-replacements", imageReplacementsFile, + // "--reference-values", platform.String(), + // path.Join(workdir, "resources.yaml"), + // } + // + // generate := cmd.NewGenerateCmd() + // generate.Flags().String("workspace-dir", "", "") // Make generate aware of root flags + // generate.Flags().String("log-level", "debug", "") + // generate.SetArgs(args) + // generate.SetOut(io.Discard) + // errBuf := &bytes.Buffer{} + // generate.SetErr(errBuf) // load in generated resources and patch the runtime handler again resourceBytes, err = os.ReadFile(path.Join(workdir, "resources.yaml")) diff --git a/e2e/internal/az/aks.go b/e2e/internal/az/aks.go new file mode 100644 index 0000000000..df713e1e98 --- /dev/null +++ b/e2e/internal/az/aks.go @@ -0,0 +1,29 @@ +// Copyright 2024 Edgeless Systems GmbH +// SPDX-License-Identifier: AGPL-3.0-only + +//go:build e2e + +package az + +import ( + "encoding/json" + "fmt" + "os/exec" +) + +// NodeImageVersion gets the node image version from the specified cluster +// and resource group. +func NodeImageVersion(clusterName string, rg string) (string, error) { + out, err := exec.Command("az", "aks", "nodepool", "list", "--cluster-name", clusterName, "--resource-group", rg).Output() + if err != nil { + return "", err + } + + var outMap []map[string]interface{} + err = json.Unmarshal(out, &outMap) + if err != nil { + return "", err + } + + return fmt.Sprintf("%s", outMap[0]["nodeImageVersion"]), nil +} diff --git a/e2e/internal/az/confcom.go b/e2e/internal/az/confcom.go new file mode 100644 index 0000000000..f37b74f28b --- /dev/null +++ b/e2e/internal/az/confcom.go @@ -0,0 +1,23 @@ +// Copyright 2024 Edgeless Systems GmbH +// SPDX-License-Identifier: AGPL-3.0-only + +//go:build e2e + +package az + +import ( + "os/exec" + "testing" +) + +// KataPolicyGen executes `az confcom katapolicygen --yaml `. +func KataPolicyGen(t *testing.T, resourcePath string) error { + // log versions and extensions that are used + out, err := exec.Command("az", "confcom", "katapolicygen", "--print-version").Output() + if err != nil { + return err + } + t.Log(string(out)) + + return exec.Command("az", "confcom", "katapolicygen", "--yaml", resourcePath).Run() +} diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix index a4ce7ba466..bdd748ea7c 100644 --- a/packages/by-name/contrast/package.nix +++ b/packages/by-name/contrast/package.nix @@ -3,6 +3,8 @@ { lib, + azure-cli, + makeWrapper, buildGoModule, buildGoTest, microsoft, @@ -26,7 +28,13 @@ let tags = [ "e2e" ]; - ldflags = [ "-s" ]; + nativeBuildInputs = [ + makeWrapper + ]; + + ldflags = [ + "-s" + ]; subPackages = [ "e2e/genpolicy" @@ -40,6 +48,11 @@ let "e2e/regression" "e2e/aks-runtime" ]; + + postInstall = '' + wrapProgram $out/bin/aks-runtime.test \ + --prefix PATH : ${lib.makeBinPath [ azure-cli ]} + ''; }; # Reference values that we embed into the Contrast CLI for From 89391c5bd81fd18e9ba516372502fc48c114a771 Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 15 Oct 2024 16:15:43 +0200 Subject: [PATCH 04/34] use getdents deployment --- e2e/aks-runtime/aks_runtime_test.go | 26 ++------------------------ 1 file changed, 2 insertions(+), 24 deletions(-) diff --git a/e2e/aks-runtime/aks_runtime_test.go b/e2e/aks-runtime/aks_runtime_test.go index 67bef9d22e..d0f06ff0c7 100644 --- a/e2e/aks-runtime/aks_runtime_test.go +++ b/e2e/aks-runtime/aks_runtime_test.go @@ -1,7 +1,7 @@ // Copyright 2024 Edgeless Systems GmbH // SPDX-License-Identifier: AGPL-3.0-only -//go:build e2e +///go:build e2e package aksruntime @@ -57,8 +57,7 @@ func TestAKSRuntime(t *testing.T) { } // define resources - resources := kuberesource.OpenSSL() - // TODO: check if this can be removed since they are overwritten later + resources := kuberesource.GetDEnts() resources = kuberesource.PatchRuntimeHandlers(resources, "kata-cc-isolation") resources = kuberesource.PatchNamespaces(resources, namespace) resources = kuberesource.PatchImages(resources, imageReplacements) @@ -66,38 +65,17 @@ func TestAKSRuntime(t *testing.T) { toWrite, err := kuberesource.ResourcesToUnstructured(resources) require.NoError(err) - t.Log("generating policies...") // generate policies resourceBytes, err := kuberesource.EncodeUnstructured(toWrite) require.NoError(err) require.NoError(os.WriteFile(path.Join(workdir, "resources.yaml"), resourceBytes, 0o644)) require.NoError(confcom.KataPolicyGen(t, path.Join(workdir, "resources.yaml"))) - // - // platform, err := platforms.FromString(platformStr) - // require.NoError(err) - // args := []string{ - // "--image-replacements", imageReplacementsFile, - // "--reference-values", platform.String(), - // path.Join(workdir, "resources.yaml"), - // } - // - // generate := cmd.NewGenerateCmd() - // generate.Flags().String("workspace-dir", "", "") // Make generate aware of root flags - // generate.Flags().String("log-level", "debug", "") - // generate.SetArgs(args) - // generate.SetOut(io.Discard) - // errBuf := &bytes.Buffer{} - // generate.SetErr(errBuf) - // load in generated resources and patch the runtime handler again resourceBytes, err = os.ReadFile(path.Join(workdir, "resources.yaml")) require.NoError(err) toApply, err := kubeapi.UnmarshalUnstructuredK8SResource(resourceBytes) require.NoError(err) - t.Logf("%#v", toApply) - - t.Log("policies generated!") ctx, cancel = context.WithTimeout(context.Background(), 3*time.Minute) defer cancel() From 22bd9e856ff98f24c61448109f4c4ff4b298d273 Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 15 Oct 2024 16:24:18 +0200 Subject: [PATCH 05/34] make test wait for correct container --- e2e/aks-runtime/aks_runtime_test.go | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/e2e/aks-runtime/aks_runtime_test.go b/e2e/aks-runtime/aks_runtime_test.go index d0f06ff0c7..222644c909 100644 --- a/e2e/aks-runtime/aks_runtime_test.go +++ b/e2e/aks-runtime/aks_runtime_test.go @@ -21,10 +21,7 @@ import ( "github.com/stretchr/testify/require" ) -const ( - opensslFrontend = "openssl-frontend" - opensslBackend = "openssl-backend" -) +const getdentsTester = "getdents-tester" var ( imageReplacementsFile, namespaceFile, platformStr string @@ -32,7 +29,6 @@ var ( ) func TestAKSRuntime(t *testing.T) { - // TODO: Log kata information require := require.New(t) workdir := t.TempDir() @@ -57,6 +53,7 @@ func TestAKSRuntime(t *testing.T) { } // define resources + // TODO: Log kata-agent, guest kernel, node image version with custom container deployment resources := kuberesource.GetDEnts() resources = kuberesource.PatchRuntimeHandlers(resources, "kata-cc-isolation") resources = kuberesource.PatchNamespaces(resources, namespace) @@ -81,9 +78,7 @@ func TestAKSRuntime(t *testing.T) { defer cancel() err = c.Apply(ctx, toApply...) require.NoError(err) - require.NoError(c.WaitFor(ctx, kubeclient.Ready, kubeclient.Deployment{}, namespace, opensslBackend)) - require.NoError(c.WaitFor(ctx, kubeclient.Ready, kubeclient.Deployment{}, namespace, opensslFrontend)) - c.LogDebugInfo(context.Background()) + require.NoError(c.WaitFor(ctx, kubeclient.Ready, kubeclient.Deployment{}, namespace, getdentsTester)) } func TestMain(m *testing.M) { From b5b6915167f2767ea64d40d6f883465ebde0bc87 Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 15 Oct 2024 17:11:08 +0200 Subject: [PATCH 06/34] write own deployment renamed container to testcontainer and log versions --- e2e/aks-runtime/aks_runtime_test.go | 38 ++++++++++++++++++++++++----- e2e/internal/az/aks.go | 3 ++- e2e/internal/az/confcom.go | 13 ++++++---- 3 files changed, 42 insertions(+), 12 deletions(-) diff --git a/e2e/aks-runtime/aks_runtime_test.go b/e2e/aks-runtime/aks_runtime_test.go index 222644c909..13b1d27464 100644 --- a/e2e/aks-runtime/aks_runtime_test.go +++ b/e2e/aks-runtime/aks_runtime_test.go @@ -1,7 +1,7 @@ // Copyright 2024 Edgeless Systems GmbH // SPDX-License-Identifier: AGPL-3.0-only -///go:build e2e +//go:build e2e package aksruntime @@ -13,7 +13,7 @@ import ( "testing" "time" - "github.com/edgelesssys/contrast/e2e/internal/confcom" + "github.com/edgelesssys/contrast/e2e/internal/az" "github.com/edgelesssys/contrast/e2e/internal/contrasttest" "github.com/edgelesssys/contrast/e2e/internal/kubeclient" "github.com/edgelesssys/contrast/internal/kubeapi" @@ -21,7 +21,7 @@ import ( "github.com/stretchr/testify/require" ) -const getdentsTester = "getdents-tester" +const testContainer = "testcontainer" var ( imageReplacementsFile, namespaceFile, platformStr string @@ -39,6 +39,14 @@ func TestAKSRuntime(t *testing.T) { require.NoError(err) namespace := contrasttest.MakeNamespace(t) + // Log versions + kataPolicyGenV, err := az.KataPolicyGenVersion() + require.NoError(err) + nodeImageV, err := az.NodeImageVersion("rgMiampf", "rgMiampf") + require.NoError(err) + t.Log("katapolicygen version: ", kataPolicyGenV) + t.Log("node image version: ", nodeImageV) + c := kubeclient.NewForTest(t) // create the namespace @@ -52,9 +60,27 @@ func TestAKSRuntime(t *testing.T) { require.NoError(os.WriteFile(namespaceFile, []byte(namespace), 0o644)) } + deployment := kuberesource.Deployment(testContainer, ""). + WithSpec(kuberesource.DeploymentSpec(). + WithReplicas(1). + WithSelector(kuberesource.LabelSelector().WithMatchLabels( + map[string]string{"app.kubernetes.io/name": testContainer}, + )). + WithTemplate(kuberesource.PodTemplateSpec(). + WithLabels(map[string]string{"app.kubernetes.io/name": testContainer}). + WithSpec(kuberesource.PodSpec(). + WithContainers(kuberesource.Container(). + WithName(testContainer). + WithImage("docker.io/bash@sha256:ce062497c248eb1cf4d32927f8c1780cce158d3ed0658c586a5be7308d583cbb"). + WithCommand("/usr/local/bin/bash", "-c", "while true; do sleep 10; done"), + ), + ), + ), + ) + // define resources // TODO: Log kata-agent, guest kernel, node image version with custom container deployment - resources := kuberesource.GetDEnts() + resources := []any{deployment} resources = kuberesource.PatchRuntimeHandlers(resources, "kata-cc-isolation") resources = kuberesource.PatchNamespaces(resources, namespace) resources = kuberesource.PatchImages(resources, imageReplacements) @@ -66,7 +92,7 @@ func TestAKSRuntime(t *testing.T) { resourceBytes, err := kuberesource.EncodeUnstructured(toWrite) require.NoError(err) require.NoError(os.WriteFile(path.Join(workdir, "resources.yaml"), resourceBytes, 0o644)) - require.NoError(confcom.KataPolicyGen(t, path.Join(workdir, "resources.yaml"))) + require.NoError(az.KataPolicyGen(t, path.Join(workdir, "resources.yaml"))) // load in generated resources and patch the runtime handler again resourceBytes, err = os.ReadFile(path.Join(workdir, "resources.yaml")) @@ -78,7 +104,7 @@ func TestAKSRuntime(t *testing.T) { defer cancel() err = c.Apply(ctx, toApply...) require.NoError(err) - require.NoError(c.WaitFor(ctx, kubeclient.Ready, kubeclient.Deployment{}, namespace, getdentsTester)) + require.NoError(c.WaitFor(ctx, kubeclient.Ready, kubeclient.Deployment{}, namespace, testContainer)) } func TestMain(m *testing.M) { diff --git a/e2e/internal/az/aks.go b/e2e/internal/az/aks.go index df713e1e98..94800e6cee 100644 --- a/e2e/internal/az/aks.go +++ b/e2e/internal/az/aks.go @@ -9,6 +9,7 @@ import ( "encoding/json" "fmt" "os/exec" + "strings" ) // NodeImageVersion gets the node image version from the specified cluster @@ -25,5 +26,5 @@ func NodeImageVersion(clusterName string, rg string) (string, error) { return "", err } - return fmt.Sprintf("%s", outMap[0]["nodeImageVersion"]), nil + return strings.TrimSpace(fmt.Sprintf("%s", outMap[0]["nodeImageVersion"])), nil } diff --git a/e2e/internal/az/confcom.go b/e2e/internal/az/confcom.go index f37b74f28b..ea8d511280 100644 --- a/e2e/internal/az/confcom.go +++ b/e2e/internal/az/confcom.go @@ -7,17 +7,20 @@ package az import ( "os/exec" + "strings" "testing" ) -// KataPolicyGen executes `az confcom katapolicygen --yaml `. -func KataPolicyGen(t *testing.T, resourcePath string) error { - // log versions and extensions that are used +// KataPolicyGenVersion gets the version string of `az confcom katapolicygen`. +func KataPolicyGenVersion() (string, error) { out, err := exec.Command("az", "confcom", "katapolicygen", "--print-version").Output() if err != nil { - return err + return "", err } - t.Log(string(out)) + return strings.TrimSpace(string(out)), nil +} +// KataPolicyGen executes `az confcom katapolicygen --yaml `. +func KataPolicyGen(t *testing.T, resourcePath string) error { return exec.Command("az", "confcom", "katapolicygen", "--yaml", resourcePath).Run() } From ed89e8b401b8035707ba0baea8b148c580f7c1e4 Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 17 Oct 2024 14:14:43 +0200 Subject: [PATCH 07/34] finish e2e test and logging some cleanup and comments respect build tag remove unneccessary if add cleanup --- e2e/aks-runtime/aks_runtime_test.go | 35 ++++++++++++++++++++++++----- overlays/nixpkgs.nix | 1 + 2 files changed, 30 insertions(+), 6 deletions(-) diff --git a/e2e/aks-runtime/aks_runtime_test.go b/e2e/aks-runtime/aks_runtime_test.go index 13b1d27464..c25e277287 100644 --- a/e2e/aks-runtime/aks_runtime_test.go +++ b/e2e/aks-runtime/aks_runtime_test.go @@ -19,13 +19,15 @@ import ( "github.com/edgelesssys/contrast/internal/kubeapi" "github.com/edgelesssys/contrast/internal/kuberesource" "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) const testContainer = "testcontainer" var ( - imageReplacementsFile, namespaceFile, platformStr string - skipUndeploy bool + imageReplacementsFile, namespaceFile, _platformStr string + skipUndeploy bool ) func TestAKSRuntime(t *testing.T) { @@ -42,7 +44,8 @@ func TestAKSRuntime(t *testing.T) { // Log versions kataPolicyGenV, err := az.KataPolicyGenVersion() require.NoError(err) - nodeImageV, err := az.NodeImageVersion("rgMiampf", "rgMiampf") + rg := os.Getenv("azure_resource_group") + nodeImageV, err := az.NodeImageVersion(rg, rg) require.NoError(err) t.Log("katapolicygen version: ", kataPolicyGenV) t.Log("node image version: ", nodeImageV) @@ -60,6 +63,7 @@ func TestAKSRuntime(t *testing.T) { require.NoError(os.WriteFile(namespaceFile, []byte(namespace), 0o644)) } + // simple deployment that logs the kernel version and then sleeps deployment := kuberesource.Deployment(testContainer, ""). WithSpec(kuberesource.DeploymentSpec(). WithReplicas(1). @@ -72,14 +76,13 @@ func TestAKSRuntime(t *testing.T) { WithContainers(kuberesource.Container(). WithName(testContainer). WithImage("docker.io/bash@sha256:ce062497c248eb1cf4d32927f8c1780cce158d3ed0658c586a5be7308d583cbb"). - WithCommand("/usr/local/bin/bash", "-c", "while true; do sleep 10; done"), + WithCommand("/usr/local/bin/bash", "-c", "uname -r; while true; do sleep 10; done"), ), ), ), ) // define resources - // TODO: Log kata-agent, guest kernel, node image version with custom container deployment resources := []any{deployment} resources = kuberesource.PatchRuntimeHandlers(resources, "kata-cc-isolation") resources = kuberesource.PatchNamespaces(resources, namespace) @@ -105,12 +108,32 @@ func TestAKSRuntime(t *testing.T) { err = c.Apply(ctx, toApply...) require.NoError(err) require.NoError(c.WaitFor(ctx, kubeclient.Ready, kubeclient.Deployment{}, namespace, testContainer)) + + t.Cleanup(func() { + if skipUndeploy { + return + } + + // delete the deployment + deletePolicy := metav1.DeletePropagationForeground + require.NoError(c.Client.AppsV1().Deployments(namespace).Delete(context.Background(), testContainer, metav1.DeleteOptions{ + PropagationPolicy: &deletePolicy, + })) + }) + + pods, err := c.Client.CoreV1().Pods(namespace).List(ctx, metav1.ListOptions{}) + require.NoError(err) + pod := pods.Items[0] // only one pod was deployed + + logs, err := c.Client.CoreV1().Pods(namespace).GetLogs(pod.Name, &corev1.PodLogOptions{}).DoRaw(ctx) + require.NoError(err) + t.Logf("kernel version in pod %s: %s", pod.Name, string(logs)) } func TestMain(m *testing.M) { flag.StringVar(&imageReplacementsFile, "image-replacements", "", "path to image replacements file") flag.StringVar(&namespaceFile, "namespace-file", "", "file to store the namespace in") - flag.StringVar(&platformStr, "platform", "", "Deployment platform") + flag.StringVar(&_platformStr, "platform", "", "Deployment platform") flag.BoolVar(&skipUndeploy, "skip-undeploy", false, "skip undeploy step in the test") flag.Parse() diff --git a/overlays/nixpkgs.nix b/overlays/nixpkgs.nix index b50918cad9..b4f4fdeb69 100644 --- a/overlays/nixpkgs.nix +++ b/overlays/nixpkgs.nix @@ -2,6 +2,7 @@ # SPDX-License-Identifier: AGPL-3.0-only final: prev: +# TODO(miampf): Remove unneccessary block once https://github.com/NixOS/nixpkgs/pull/345326 is merged into unstable nixpkgs let # Builder for Azure CLI extensions. Extensions are Python wheels that # outside of nix would be fetched by the CLI itself from various sources. From 601f400cd7a0c7a31896d928ca16e8011c27244e Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 17 Oct 2024 15:12:54 +0200 Subject: [PATCH 08/34] write github workflow --- .github/workflows/e2e_aks_runtime.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/e2e_aks_runtime.yml diff --git a/.github/workflows/e2e_aks_runtime.yml b/.github/workflows/e2e_aks_runtime.yml new file mode 100644 index 0000000000..06f69a9d37 --- /dev/null +++ b/.github/workflows/e2e_aks_runtime.yml @@ -0,0 +1,25 @@ +name: e2e test aks runtime + +on: + schedule: + - cron: "16 6 * * 6" # 6:16 on Saturdays + pull_request: + paths: + - e2e/aks-runtime/** + +jobs: + test_matrix: + strategy: + fail-fast: false + name: Test aks runtime + uses: ./.github/workflows/e2e.yml + with: + skip-undeploy: false + test-name: aks-runtime + platform: AKS-CLH-SNP + runner: ubuntu-22.04 + self-hosted: false + secrets: inherit + permissions: + contents: read + packages: write From ea9eeef6e561375fc60f9f405693038ed8a55dae Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 17 Oct 2024 16:02:48 +0200 Subject: [PATCH 09/34] formatting golangci --- e2e/aks-runtime/aks_runtime_test.go | 2 +- e2e/internal/az/confcom.go | 3 +-- e2e/internal/contrasttest/contrasttest.go | 1 + packages/by-name/contrast/package.nix | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/e2e/aks-runtime/aks_runtime_test.go b/e2e/aks-runtime/aks_runtime_test.go index c25e277287..b88c35eb6b 100644 --- a/e2e/aks-runtime/aks_runtime_test.go +++ b/e2e/aks-runtime/aks_runtime_test.go @@ -95,7 +95,7 @@ func TestAKSRuntime(t *testing.T) { resourceBytes, err := kuberesource.EncodeUnstructured(toWrite) require.NoError(err) require.NoError(os.WriteFile(path.Join(workdir, "resources.yaml"), resourceBytes, 0o644)) - require.NoError(az.KataPolicyGen(t, path.Join(workdir, "resources.yaml"))) + require.NoError(az.KataPolicyGen(path.Join(workdir, "resources.yaml"))) // load in generated resources and patch the runtime handler again resourceBytes, err = os.ReadFile(path.Join(workdir, "resources.yaml")) diff --git a/e2e/internal/az/confcom.go b/e2e/internal/az/confcom.go index ea8d511280..62a1a0ab83 100644 --- a/e2e/internal/az/confcom.go +++ b/e2e/internal/az/confcom.go @@ -8,7 +8,6 @@ package az import ( "os/exec" "strings" - "testing" ) // KataPolicyGenVersion gets the version string of `az confcom katapolicygen`. @@ -21,6 +20,6 @@ func KataPolicyGenVersion() (string, error) { } // KataPolicyGen executes `az confcom katapolicygen --yaml `. -func KataPolicyGen(t *testing.T, resourcePath string) error { +func KataPolicyGen(resourcePath string) error { return exec.Command("az", "confcom", "katapolicygen", "--yaml", resourcePath).Run() } diff --git a/e2e/internal/contrasttest/contrasttest.go b/e2e/internal/contrasttest/contrasttest.go index 1cb2b72e23..249bf3c04e 100644 --- a/e2e/internal/contrasttest/contrasttest.go +++ b/e2e/internal/contrasttest/contrasttest.go @@ -372,6 +372,7 @@ func (ct *ContrastTest) FactorPlatformTimeout(timeout time.Duration) time.Durati } } +// MakeNamespace creates a namespace string using a given *testing.T. func MakeNamespace(t *testing.T) string { buf := make([]byte, 4) re := regexp.MustCompile("[a-z0-9-]+") diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix index bdd748ea7c..0179ccb00e 100644 --- a/packages/by-name/contrast/package.nix +++ b/packages/by-name/contrast/package.nix @@ -32,7 +32,7 @@ let makeWrapper ]; - ldflags = [ + ldflags = [ "-s" ]; From cc6c9803c3b379d77a3f0dade47f40fab308cad8 Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 22 Oct 2024 10:57:57 +0200 Subject: [PATCH 10/34] don't fail fast --- .github/workflows/e2e_aks_runtime.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/e2e_aks_runtime.yml b/.github/workflows/e2e_aks_runtime.yml index 06f69a9d37..b598d5e2c4 100644 --- a/.github/workflows/e2e_aks_runtime.yml +++ b/.github/workflows/e2e_aks_runtime.yml @@ -9,8 +9,6 @@ on: jobs: test_matrix: - strategy: - fail-fast: false name: Test aks runtime uses: ./.github/workflows/e2e.yml with: From c0086dc28cd6ebe8899e65ce0411ede32ba8921b Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 22 Oct 2024 11:11:21 +0200 Subject: [PATCH 11/34] patch misleading comment + `sleep infinity` --- e2e/aks-runtime/aks_runtime_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e/aks-runtime/aks_runtime_test.go b/e2e/aks-runtime/aks_runtime_test.go index b88c35eb6b..57ad63003e 100644 --- a/e2e/aks-runtime/aks_runtime_test.go +++ b/e2e/aks-runtime/aks_runtime_test.go @@ -76,7 +76,7 @@ func TestAKSRuntime(t *testing.T) { WithContainers(kuberesource.Container(). WithName(testContainer). WithImage("docker.io/bash@sha256:ce062497c248eb1cf4d32927f8c1780cce158d3ed0658c586a5be7308d583cbb"). - WithCommand("/usr/local/bin/bash", "-c", "uname -r; while true; do sleep 10; done"), + WithCommand("/usr/local/bin/bash", "-c", "uname -r; sleep infinity"), ), ), ), @@ -97,7 +97,7 @@ func TestAKSRuntime(t *testing.T) { require.NoError(os.WriteFile(path.Join(workdir, "resources.yaml"), resourceBytes, 0o644)) require.NoError(az.KataPolicyGen(path.Join(workdir, "resources.yaml"))) - // load in generated resources and patch the runtime handler again + // load in generated resources resourceBytes, err = os.ReadFile(path.Join(workdir, "resources.yaml")) require.NoError(err) toApply, err := kubeapi.UnmarshalUnstructuredK8SResource(resourceBytes) From 408cf99946f7761b88fadd6aed4be953674344e9 Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 24 Oct 2024 14:54:10 +0200 Subject: [PATCH 12/34] add option to run E2E test without nix env & use it for the `aks-runtime` test --- .github/workflows/e2e.yml | 26 ++++++++++++--- .github/workflows/e2e_aks_runtime.yml | 46 ++++++++++++++++++++------- 2 files changed, 55 insertions(+), 17 deletions(-) diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index de5983b3c9..ae8017642f 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -18,6 +18,11 @@ on: self-hosted: description: "Self Hosted" type: boolean + run-without-nix: + description: "Run the E2E test without using a nix shell" + type: boolean + required: false + default: false env: container_registry: ghcr.io/edgelesssys @@ -73,11 +78,22 @@ jobs: - name: E2E Test run: | nix run .#scripts.get-logs workspace/e2e.namespace & - nix shell -L .#contrast.e2e --command ${{ inputs.test-name }}.test -test.v \ - --image-replacements workspace/just.containerlookup \ - --namespace-file workspace/e2e.namespace \ - --platform ${{ inputs.platform }} \ - --skip-undeploy="${{ inputs.skip-undeploy && 'true' || 'false' }}" + if [[ "${{inputs.run-without-nix}}" == "false" ]]; then + echo "Running with nix" + nix shell -L .#contrast.e2e --command ${{ inputs.test-name }}.test -test.v \ + --image-replacements workspace/just.containerlookup \ + --namespace-file workspace/e2e.namespace \ + --platform ${{ inputs.platform }} \ + --skip-undeploy="${{ inputs.skip-undeploy && 'true' || 'false' }}" + else + echo "Running without nix" + nix build .#contrast.e2e + ./result/bin/${{ inputs.test-name }}.test -test.v \ + --image-replacements workspace/just.containerlookup \ + --namespace-file workspace/e2e.namespace \ + --platform ${{ inputs.platform }} \ + --skip-undeploy="${{ inputs.skip-undeploy && 'true' || 'false' }}" + fi - name: Upload logs if: always() uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 diff --git a/.github/workflows/e2e_aks_runtime.yml b/.github/workflows/e2e_aks_runtime.yml index b598d5e2c4..b82e958858 100644 --- a/.github/workflows/e2e_aks_runtime.yml +++ b/.github/workflows/e2e_aks_runtime.yml @@ -9,15 +9,37 @@ on: jobs: test_matrix: - name: Test aks runtime - uses: ./.github/workflows/e2e.yml - with: - skip-undeploy: false - test-name: aks-runtime - platform: AKS-CLH-SNP - runner: ubuntu-22.04 - self-hosted: false - secrets: inherit - permissions: - contents: read - packages: write + steps: + - name: Install `az` with extensions + run: | + sudo apt-get update + sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release + sudo mkdir -p /etc/apt/keyrings + curl -sLS https://packages.microsoft.com/keys/microsoft.asc | + gpg --dearmor | sudo tee /etc/apt/keyrings/microsoft.gpg > /dev/null + sudo chmod go+r /etc/apt/keyrings/microsoft.gpg + AZ_DIST=$(lsb_release -cs) + echo "Types: deb + URIs: https://packages.microsoft.com/repos/azure-cli/ + Suites: ${AZ_DIST} + Components: main + Architectures: $(dpkg --print-architecture) + Signed-by: /etc/apt/keyrings/microsoft.gpg" | sudo tee /etc/apt/sources.list.d/azure-cli.sources + sudo apt-get update + sudo apt-get install azure-cli + + az extension add --name aks-preview + az extension add --name confcom + - name: Test aks runtime + uses: ./.github/workflows/e2e.yml + with: + skip-undeploy: false + test-name: aks-runtime + platform: AKS-CLH-SNP + runner: ubuntu-22.04 + self-hosted: false + run-without-nix: true + secrets: inherit + permissions: + contents: read + packages: write From 85b6af001a2adc01ec2e175f52f3cea419c46f1f Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 24 Oct 2024 14:55:47 +0200 Subject: [PATCH 13/34] add workflow_dispatch trigger --- .github/workflows/e2e_aks_runtime.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/e2e_aks_runtime.yml b/.github/workflows/e2e_aks_runtime.yml index b82e958858..2b6fd3b1e3 100644 --- a/.github/workflows/e2e_aks_runtime.yml +++ b/.github/workflows/e2e_aks_runtime.yml @@ -1,6 +1,7 @@ name: e2e test aks runtime on: + workflow_dispatch: schedule: - cron: "16 6 * * 6" # 6:16 on Saturdays pull_request: From 20ab893867bdafa5912974c6b6392416a605a869 Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 24 Oct 2024 14:56:34 +0200 Subject: [PATCH 14/34] correct workflow file two jobs indentation :( add forgotten permissions --- .github/workflows/e2e_aks_runtime.yml | 34 +++++++++++++++------------ 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/.github/workflows/e2e_aks_runtime.yml b/.github/workflows/e2e_aks_runtime.yml index 2b6fd3b1e3..844971e644 100644 --- a/.github/workflows/e2e_aks_runtime.yml +++ b/.github/workflows/e2e_aks_runtime.yml @@ -9,7 +9,8 @@ on: - e2e/aks-runtime/** jobs: - test_matrix: + install-software: + runs-on: ubuntu-22.04 steps: - name: Install `az` with extensions run: | @@ -17,7 +18,7 @@ jobs: sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release sudo mkdir -p /etc/apt/keyrings curl -sLS https://packages.microsoft.com/keys/microsoft.asc | - gpg --dearmor | sudo tee /etc/apt/keyrings/microsoft.gpg > /dev/null + gpg --dearmor | sudo tee /etc/apt/keyrings/microsoft.gpg > /dev/null sudo chmod go+r /etc/apt/keyrings/microsoft.gpg AZ_DIST=$(lsb_release -cs) echo "Types: deb @@ -31,16 +32,19 @@ jobs: az extension add --name aks-preview az extension add --name confcom - - name: Test aks runtime - uses: ./.github/workflows/e2e.yml - with: - skip-undeploy: false - test-name: aks-runtime - platform: AKS-CLH-SNP - runner: ubuntu-22.04 - self-hosted: false - run-without-nix: true - secrets: inherit - permissions: - contents: read - packages: write + + test_matrix: + name: Test aks runtime + needs: install-software + secrets: inherit + permissions: + contents: read + packages: write + uses: ./.github/workflows/e2e.yml + with: + skip-undeploy: false + test-name: aks-runtime + platform: AKS-CLH-SNP + runner: ubuntu-22.04 + self-hosted: false + run-without-nix: true From db19b99d0251968a920625e322c1b5e14af6ab7e Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 24 Oct 2024 16:53:23 +0200 Subject: [PATCH 15/34] add comment linking to ms az install docs --- .github/workflows/e2e_aks_runtime.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/e2e_aks_runtime.yml b/.github/workflows/e2e_aks_runtime.yml index 844971e644..e3d2910103 100644 --- a/.github/workflows/e2e_aks_runtime.yml +++ b/.github/workflows/e2e_aks_runtime.yml @@ -9,6 +9,7 @@ on: - e2e/aks-runtime/** jobs: + # steps taken from https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt#option-2-step-by-step-installation-instructions install-software: runs-on: ubuntu-22.04 steps: From b633100ff1e86eec7207c8cbafb8bc598de2184f Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 24 Oct 2024 16:54:55 +0200 Subject: [PATCH 16/34] don't use echo to write file --- .github/workflows/e2e_aks_runtime.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/e2e_aks_runtime.yml b/.github/workflows/e2e_aks_runtime.yml index e3d2910103..ebd72ccbc2 100644 --- a/.github/workflows/e2e_aks_runtime.yml +++ b/.github/workflows/e2e_aks_runtime.yml @@ -22,12 +22,16 @@ jobs: gpg --dearmor | sudo tee /etc/apt/keyrings/microsoft.gpg > /dev/null sudo chmod go+r /etc/apt/keyrings/microsoft.gpg AZ_DIST=$(lsb_release -cs) - echo "Types: deb + + sudo tee /etc/apt/sources.list.d/azure-cli.sources < Date: Thu, 24 Oct 2024 17:05:21 +0200 Subject: [PATCH 17/34] use bash image from ghcr.io --- e2e/aks-runtime/aks_runtime_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e2e/aks-runtime/aks_runtime_test.go b/e2e/aks-runtime/aks_runtime_test.go index 57ad63003e..ea35111f10 100644 --- a/e2e/aks-runtime/aks_runtime_test.go +++ b/e2e/aks-runtime/aks_runtime_test.go @@ -75,7 +75,7 @@ func TestAKSRuntime(t *testing.T) { WithSpec(kuberesource.PodSpec(). WithContainers(kuberesource.Container(). WithName(testContainer). - WithImage("docker.io/bash@sha256:ce062497c248eb1cf4d32927f8c1780cce158d3ed0658c586a5be7308d583cbb"). + WithImage("ghcr.io/edgelesssys/bash@sha256:cabc70d68e38584052cff2c271748a0506b47069ebbd3d26096478524e9b270b"). WithCommand("/usr/local/bin/bash", "-c", "uname -r; sleep infinity"), ), ), From 95e2119c8d8b9da88970b23bbe147bec9a0dd06a Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 24 Oct 2024 17:19:11 +0200 Subject: [PATCH 18/34] delete namespace --- e2e/aks-runtime/aks_runtime_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e/aks-runtime/aks_runtime_test.go b/e2e/aks-runtime/aks_runtime_test.go index ea35111f10..79cd08958c 100644 --- a/e2e/aks-runtime/aks_runtime_test.go +++ b/e2e/aks-runtime/aks_runtime_test.go @@ -1,7 +1,7 @@ // Copyright 2024 Edgeless Systems GmbH // SPDX-License-Identifier: AGPL-3.0-only -//go:build e2e +///go:build e2e package aksruntime @@ -116,7 +116,7 @@ func TestAKSRuntime(t *testing.T) { // delete the deployment deletePolicy := metav1.DeletePropagationForeground - require.NoError(c.Client.AppsV1().Deployments(namespace).Delete(context.Background(), testContainer, metav1.DeleteOptions{ + require.NoError(c.Client.CoreV1().Namespaces().Delete(context.Background(), namespace, metav1.DeleteOptions{ PropagationPolicy: &deletePolicy, })) }) From 235ccab86e3ea16cb85824f010c9d9eaeef2f66d Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 24 Oct 2024 17:21:37 +0200 Subject: [PATCH 19/34] assert that only one pod exists --- e2e/aks-runtime/aks_runtime_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/e2e/aks-runtime/aks_runtime_test.go b/e2e/aks-runtime/aks_runtime_test.go index 79cd08958c..b23988e13a 100644 --- a/e2e/aks-runtime/aks_runtime_test.go +++ b/e2e/aks-runtime/aks_runtime_test.go @@ -1,7 +1,7 @@ // Copyright 2024 Edgeless Systems GmbH // SPDX-License-Identifier: AGPL-3.0-only -///go:build e2e +//go:build e2e package aksruntime @@ -123,6 +123,7 @@ func TestAKSRuntime(t *testing.T) { pods, err := c.Client.CoreV1().Pods(namespace).List(ctx, metav1.ListOptions{}) require.NoError(err) + require.Equal(len(pods.Items), 1) pod := pods.Items[0] // only one pod was deployed logs, err := c.Client.CoreV1().Pods(namespace).GetLogs(pod.Name, &corev1.PodLogOptions{}).DoRaw(ctx) From 5fc37ca0418fa4a509dea4ff3c20b7d45d8efb3e Mon Sep 17 00:00:00 2001 From: miampf Date: Thu, 24 Oct 2024 17:28:25 +0200 Subject: [PATCH 20/34] print stderr of `katapolicygen` to os remove accidental inclusion of t --- e2e/internal/az/confcom.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/e2e/internal/az/confcom.go b/e2e/internal/az/confcom.go index 62a1a0ab83..3fa660042e 100644 --- a/e2e/internal/az/confcom.go +++ b/e2e/internal/az/confcom.go @@ -6,6 +6,7 @@ package az import ( + "os" "os/exec" "strings" ) @@ -21,5 +22,7 @@ func KataPolicyGenVersion() (string, error) { // KataPolicyGen executes `az confcom katapolicygen --yaml `. func KataPolicyGen(resourcePath string) error { - return exec.Command("az", "confcom", "katapolicygen", "--yaml", resourcePath).Run() + cmd := exec.Command("az", "confcom", "katapolicygen", "--yaml", resourcePath) + cmd.Stderr = os.Stderr + return cmd.Run() } From 44dfb31aac14046ef956b6ce55faa96d7459152e Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 29 Oct 2024 11:45:31 +0100 Subject: [PATCH 21/34] revert `run-without-nix` --- .github/workflows/e2e.yml | 26 +++++--------------------- 1 file changed, 5 insertions(+), 21 deletions(-) diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index ae8017642f..de5983b3c9 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -18,11 +18,6 @@ on: self-hosted: description: "Self Hosted" type: boolean - run-without-nix: - description: "Run the E2E test without using a nix shell" - type: boolean - required: false - default: false env: container_registry: ghcr.io/edgelesssys @@ -78,22 +73,11 @@ jobs: - name: E2E Test run: | nix run .#scripts.get-logs workspace/e2e.namespace & - if [[ "${{inputs.run-without-nix}}" == "false" ]]; then - echo "Running with nix" - nix shell -L .#contrast.e2e --command ${{ inputs.test-name }}.test -test.v \ - --image-replacements workspace/just.containerlookup \ - --namespace-file workspace/e2e.namespace \ - --platform ${{ inputs.platform }} \ - --skip-undeploy="${{ inputs.skip-undeploy && 'true' || 'false' }}" - else - echo "Running without nix" - nix build .#contrast.e2e - ./result/bin/${{ inputs.test-name }}.test -test.v \ - --image-replacements workspace/just.containerlookup \ - --namespace-file workspace/e2e.namespace \ - --platform ${{ inputs.platform }} \ - --skip-undeploy="${{ inputs.skip-undeploy && 'true' || 'false' }}" - fi + nix shell -L .#contrast.e2e --command ${{ inputs.test-name }}.test -test.v \ + --image-replacements workspace/just.containerlookup \ + --namespace-file workspace/e2e.namespace \ + --platform ${{ inputs.platform }} \ + --skip-undeploy="${{ inputs.skip-undeploy && 'true' || 'false' }}" - name: Upload logs if: always() uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 From aa21e9442b903da5660e5a57cfd5a5fd9e2e2ae4 Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 29 Oct 2024 11:55:33 +0100 Subject: [PATCH 22/34] everything in one job --- .github/workflows/e2e_aks_runtime.yml | 74 ++++++++++++++++++++------- 1 file changed, 56 insertions(+), 18 deletions(-) diff --git a/.github/workflows/e2e_aks_runtime.yml b/.github/workflows/e2e_aks_runtime.yml index ebd72ccbc2..6653f7c8dc 100644 --- a/.github/workflows/e2e_aks_runtime.yml +++ b/.github/workflows/e2e_aks_runtime.yml @@ -9,10 +9,37 @@ on: - e2e/aks-runtime/** jobs: - # steps taken from https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt#option-2-step-by-step-installation-instructions - install-software: + test: runs-on: ubuntu-22.04 steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: ./.github/actions/setup_nix + with: + githubToken: ${{ secrets.GITHUB_TOKEN }} + cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + - name: Login to Azure + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0 + with: + creds: ${{ secrets.CONTRAST_CI_INFRA_AZURE }} + - name: Create justfile.env + run: | + cat < justfile.env + container_registry=${{ env.container_registry }} + azure_resource_group=${{ env.azure_resource_group }} + EOF + - name: Get credentials for CI cluster + run: | + nix run .#just -- get-credentials + - name: Set sync environment + run: | + sync_ip=$(kubectl get svc sync -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo "SYNC_ENDPOINT=http://$sync_ip:8080" | tee -a "$GITHUB_ENV" + sync_uuid=$(kubectl get configmap sync-server-fifo -o jsonpath='{.data.uuid}') + echo "SYNC_FIFO_UUID=$sync_uuid" | tee -a "$GITHUB_ENV" + - name: Build and prepare deployments + run: | + nix run .#just -- coordinator initializer port-forwarder openssl cryptsetup service-mesh-proxy node-installer AKS-CLH-SNP + # steps taken from https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt#option-2-step-by-step-installation-instructions - name: Install `az` with extensions run: | sudo apt-get update @@ -37,19 +64,30 @@ jobs: az extension add --name aks-preview az extension add --name confcom - - test_matrix: - name: Test aks runtime - needs: install-software - secrets: inherit - permissions: - contents: read - packages: write - uses: ./.github/workflows/e2e.yml - with: - skip-undeploy: false - test-name: aks-runtime - platform: AKS-CLH-SNP - runner: ubuntu-22.04 - self-hosted: false - run-without-nix: true + - name: E2E test + run: | + nix run .#scripts.get-logs workspace/e2e.namespace & + nix build .#contrast.e2e + ./result/bin/aks-runtime.test -test.v \ + --image-replacements workspace/just.containerlookup \ + --namespace-file workspace/e2e.namespace \ + --platform AKS-CLH-SNP \ + --skip-undeploy="false" + - name: Upload logs + if: always() + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + name: e2e_pod_logs-AKS-CLH-SNP-aks-runtime + path: workspace/namespace-logs + - name: Notify teams channel of failure + if: ${{ failure() && github.event_name == 'schedule' }} + uses: ./.github/actions/post_to_teams + with: + webhook: ${{ secrets.TEAMS_CI_WEBHOOK }} + title: "aks-runtime test failed" + message: "e2e test aks-runtime failed" + additionalFields: '[{"title": "Platform", "value": "AKS-CLH-SNP"}]' + - name: Cleanup + if: cancelled() + run: | + kubectl delete ns "$(cat workspace/e2e.namespace)" --timeout 5m From d070876e0d4ee14931a935e6d404d31d8103bed4 Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 29 Oct 2024 11:56:44 +0100 Subject: [PATCH 23/34] remove now unneeded wrapping --- packages/by-name/contrast/package.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix index 0179ccb00e..51ab5aa66e 100644 --- a/packages/by-name/contrast/package.nix +++ b/packages/by-name/contrast/package.nix @@ -48,11 +48,6 @@ let "e2e/regression" "e2e/aks-runtime" ]; - - postInstall = '' - wrapProgram $out/bin/aks-runtime.test \ - --prefix PATH : ${lib.makeBinPath [ azure-cli ]} - ''; }; # Reference values that we embed into the Contrast CLI for From 58290126da203d96d763526b1fc6178047d51754 Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 29 Oct 2024 12:08:59 +0100 Subject: [PATCH 24/34] add missing env --- .github/workflows/e2e_aks_runtime.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/e2e_aks_runtime.yml b/.github/workflows/e2e_aks_runtime.yml index 6653f7c8dc..a8069645b1 100644 --- a/.github/workflows/e2e_aks_runtime.yml +++ b/.github/workflows/e2e_aks_runtime.yml @@ -8,6 +8,11 @@ on: paths: - e2e/aks-runtime/** +env: + container_registry: ghcr.io/edgelesssys + azure_resource_group: contrast-ci + DO_NOT_TRACK: 1 + jobs: test: runs-on: ubuntu-22.04 From 770debd185d41d804b5abe4a008b7cae1904ecdb Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 29 Oct 2024 12:24:12 +0100 Subject: [PATCH 25/34] use a nix shell for running just --- .github/workflows/e2e_aks_runtime.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e_aks_runtime.yml b/.github/workflows/e2e_aks_runtime.yml index a8069645b1..7806727092 100644 --- a/.github/workflows/e2e_aks_runtime.yml +++ b/.github/workflows/e2e_aks_runtime.yml @@ -43,7 +43,7 @@ jobs: echo "SYNC_FIFO_UUID=$sync_uuid" | tee -a "$GITHUB_ENV" - name: Build and prepare deployments run: | - nix run .#just -- coordinator initializer port-forwarder openssl cryptsetup service-mesh-proxy node-installer AKS-CLH-SNP + nix shell .#just --command just coordinator initializer port-forwarder openssl cryptsetup service-mesh-proxy node-installer AKS-CLH-SNP # steps taken from https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt#option-2-step-by-step-installation-instructions - name: Install `az` with extensions run: | From 8914182a7bd3509e4ca1bad34030e234be47763a Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 29 Oct 2024 12:25:39 +0100 Subject: [PATCH 26/34] use require.Len --- e2e/aks-runtime/aks_runtime_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e2e/aks-runtime/aks_runtime_test.go b/e2e/aks-runtime/aks_runtime_test.go index b23988e13a..1c83f8627b 100644 --- a/e2e/aks-runtime/aks_runtime_test.go +++ b/e2e/aks-runtime/aks_runtime_test.go @@ -123,7 +123,7 @@ func TestAKSRuntime(t *testing.T) { pods, err := c.Client.CoreV1().Pods(namespace).List(ctx, metav1.ListOptions{}) require.NoError(err) - require.Equal(len(pods.Items), 1) + require.Len(pods.Items, 1) pod := pods.Items[0] // only one pod was deployed logs, err := c.Client.CoreV1().Pods(namespace).GetLogs(pod.Name, &corev1.PodLogOptions{}).DoRaw(ctx) From 6d57bcfe7c8a6db11d432f3edb9a88948a17a400 Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 29 Oct 2024 12:26:12 +0100 Subject: [PATCH 27/34] remove azure-cli from contrast package --- packages/by-name/contrast/package.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix index 51ab5aa66e..48eb3d9525 100644 --- a/packages/by-name/contrast/package.nix +++ b/packages/by-name/contrast/package.nix @@ -3,7 +3,6 @@ { lib, - azure-cli, makeWrapper, buildGoModule, buildGoTest, From de49a8e9db0db2a5337db5ef589504ca3332d41e Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 29 Oct 2024 12:36:21 +0100 Subject: [PATCH 28/34] add forgotten login to ghcr.io --- .github/workflows/e2e_aks_runtime.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/e2e_aks_runtime.yml b/.github/workflows/e2e_aks_runtime.yml index 7806727092..c8ab4a687b 100644 --- a/.github/workflows/e2e_aks_runtime.yml +++ b/.github/workflows/e2e_aks_runtime.yml @@ -26,6 +26,12 @@ jobs: uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0 with: creds: ${{ secrets.CONTRAST_CI_INFRA_AZURE }} + - name: Log in to ghcr.io Container registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Create justfile.env run: | cat < justfile.env From fe1c51798bdd817b27b1454b17080832467bcf10 Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 29 Oct 2024 15:57:42 +0100 Subject: [PATCH 29/34] add permissions --- .github/workflows/e2e_aks_runtime.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/e2e_aks_runtime.yml b/.github/workflows/e2e_aks_runtime.yml index c8ab4a687b..ab47048031 100644 --- a/.github/workflows/e2e_aks_runtime.yml +++ b/.github/workflows/e2e_aks_runtime.yml @@ -16,6 +16,9 @@ env: jobs: test: runs-on: ubuntu-22.04 + permissions: + contents: read + packages: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./.github/actions/setup_nix From 10311b17126ea09244f1cab8156c49c1770a8885 Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 29 Oct 2024 16:21:50 +0100 Subject: [PATCH 30/34] use `apt-get -y install` --- .github/workflows/e2e_aks_runtime.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/e2e_aks_runtime.yml b/.github/workflows/e2e_aks_runtime.yml index ab47048031..a94d411454 100644 --- a/.github/workflows/e2e_aks_runtime.yml +++ b/.github/workflows/e2e_aks_runtime.yml @@ -57,7 +57,7 @@ jobs: - name: Install `az` with extensions run: | sudo apt-get update - sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release + sudo apt-get -y install apt-transport-https ca-certificates curl gnupg lsb-release sudo mkdir -p /etc/apt/keyrings curl -sLS https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/keyrings/microsoft.gpg > /dev/null @@ -74,7 +74,7 @@ jobs: EOF sudo apt-get update - sudo apt-get install azure-cli + sudo apt-get -y install azure-cli az extension add --name aks-preview az extension add --name confcom From 1c366ff34c07bdcc98815af5f350bd98cc736fd5 Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 29 Oct 2024 16:39:53 +0100 Subject: [PATCH 31/34] removed more unneeded nix dependencies --- packages/by-name/contrast/package.nix | 9 --------- 1 file changed, 9 deletions(-) diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix index 48eb3d9525..1c84eee50c 100644 --- a/packages/by-name/contrast/package.nix +++ b/packages/by-name/contrast/package.nix @@ -3,7 +3,6 @@ { lib, - makeWrapper, buildGoModule, buildGoTest, microsoft, @@ -27,14 +26,6 @@ let tags = [ "e2e" ]; - nativeBuildInputs = [ - makeWrapper - ]; - - ldflags = [ - "-s" - ]; - subPackages = [ "e2e/genpolicy" "e2e/getdents" From 3aaebccbae01bf7390084e4630ace17e2589a512 Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 29 Oct 2024 16:40:01 +0100 Subject: [PATCH 32/34] only run on attempt 1 --- .github/workflows/e2e_aks_runtime.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e_aks_runtime.yml b/.github/workflows/e2e_aks_runtime.yml index a94d411454..064e4a3cbc 100644 --- a/.github/workflows/e2e_aks_runtime.yml +++ b/.github/workflows/e2e_aks_runtime.yml @@ -94,7 +94,7 @@ jobs: name: e2e_pod_logs-AKS-CLH-SNP-aks-runtime path: workspace/namespace-logs - name: Notify teams channel of failure - if: ${{ failure() && github.event_name == 'schedule' }} + if: ${{ failure() && github.event_name == 'schedule' && github.run_attempt == 1 }} uses: ./.github/actions/post_to_teams with: webhook: ${{ secrets.TEAMS_CI_WEBHOOK }} From 673b4df26b9da62f85b76718db7b35e7dbff66d1 Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 29 Oct 2024 16:42:53 +0100 Subject: [PATCH 33/34] add go changes --- e2e/aks-runtime/aks_runtime_test.go | 6 ++++-- e2e/internal/az/aks.go | 4 ++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/e2e/aks-runtime/aks_runtime_test.go b/e2e/aks-runtime/aks_runtime_test.go index 1c83f8627b..eba22e3231 100644 --- a/e2e/aks-runtime/aks_runtime_test.go +++ b/e2e/aks-runtime/aks_runtime_test.go @@ -116,9 +116,11 @@ func TestAKSRuntime(t *testing.T) { // delete the deployment deletePolicy := metav1.DeletePropagationForeground - require.NoError(c.Client.CoreV1().Namespaces().Delete(context.Background(), namespace, metav1.DeleteOptions{ + if err = c.Client.CoreV1().Namespaces().Delete(context.Background(), namespace, metav1.DeleteOptions{ PropagationPolicy: &deletePolicy, - })) + }); err != nil { + t.Fatalf("Failed to delete namespace %s", &namespace) + } }) pods, err := c.Client.CoreV1().Pods(namespace).List(ctx, metav1.ListOptions{}) diff --git a/e2e/internal/az/aks.go b/e2e/internal/az/aks.go index 94800e6cee..bf9c7c7c61 100644 --- a/e2e/internal/az/aks.go +++ b/e2e/internal/az/aks.go @@ -7,6 +7,7 @@ package az import ( "encoding/json" + "errors" "fmt" "os/exec" "strings" @@ -25,6 +26,9 @@ func NodeImageVersion(clusterName string, rg string) (string, error) { if err != nil { return "", err } + if len(outMap) == 0 { + return "", errors.New("No nodepools could be listed") + } return strings.TrimSpace(fmt.Sprintf("%s", outMap[0]["nodeImageVersion"])), nil } From 5ab9fcfe9b6a039948c2dc9618ed1c7e934ab99c Mon Sep 17 00:00:00 2001 From: miampf Date: Tue, 29 Oct 2024 16:49:56 +0100 Subject: [PATCH 34/34] correct type --- e2e/aks-runtime/aks_runtime_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e2e/aks-runtime/aks_runtime_test.go b/e2e/aks-runtime/aks_runtime_test.go index eba22e3231..bd39c9ce7a 100644 --- a/e2e/aks-runtime/aks_runtime_test.go +++ b/e2e/aks-runtime/aks_runtime_test.go @@ -119,7 +119,7 @@ func TestAKSRuntime(t *testing.T) { if err = c.Client.CoreV1().Namespaces().Delete(context.Background(), namespace, metav1.DeleteOptions{ PropagationPolicy: &deletePolicy, }); err != nil { - t.Fatalf("Failed to delete namespace %s", &namespace) + t.Fatalf("Failed to delete namespace %s", namespace) } })