Bring in changes from release branch (#479)

* Bump version to v2.2.0

* Update changelog

* Fix release detection in pipeline

* Fix PKI selection in pipeline

* Set enforced measurements for AWS

* Update default images

* Fix release docs

* Update mini-con defaults

* Fix measurements action

* Fix syft env variable naming

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2022-11-08 18:32:59 +01:00 committed by GitHub
parent 2b64f31104
commit 011f9c597d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 75 additions and 46 deletions

View File

@ -49,6 +49,9 @@ inputs:
azureResourceGroup:
description: "The resource group to use"
required: false
azureUserAssignedIdentity:
description: "The Azure user assigned identity to use for Constellation."
required: false
cosignPublicKey:
description: "Cosign public key to sign measurements."
required: true
@ -95,6 +98,7 @@ runs:
uses: ./.github/actions/constellation_create
with:
cloudProvider: ${{ inputs.cloudProvider }}
gcpProject: ${{ inputs.gcpProject }}
gcpClusterServiceAccountKey: ${{ inputs.gcpClusterServiceAccountKey }}
workerNodesCount: ${{ inputs.workerNodesCount }}
controlNodesCount: ${{ inputs.controlNodesCount }}
@ -102,7 +106,11 @@ runs:
osImage: ${{ inputs.osImage }}
isDebugImage: ${{ inputs.isDebugImage }}
kubernetesVersion: ${{ inputs.kubernetesVersion }}
azureSubscription: ${{ inputs.azureSubscription }}
azureTenant: ${{ inputs.azureTenant }}
azureClientID: ${{ inputs.azureClientID }}
azureClientSecret: ${{ inputs.azureClientSecret }}
azureUserAssignedIdentity: ${{ inputs.azureUserAssignedIdentity }}
azureResourceGroup: ${{ inputs.azureResourceGroup }}
- name: Measure cluster

View File

@ -63,11 +63,10 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
10. Run manual E2E tests using [Linux](/.github/workflows/e2e-test-manual.yml) and [macOS](/.github/workflows/e2e-test-manual-macos.yml) to confirm functionality and stability.
```sh
sono='--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml'
gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F sonobuoyTestSuiteCmd="$sono" -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F sonobuoyTestSuiteCmd="$sono" -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F sonobuoyTestSuiteCmd="$sono" -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F sonobuoyTestSuiteCmd="$sono" -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F test="sonobuoy full" -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F test="sonobuoy full" -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F test="sonobuoy full" -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F test="sonobuoy full" -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
```
11. [Generate measurements](/.github/workflows/generate-measurements.yml) for the images on each CSP.
@ -78,6 +77,7 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
```
12. Create a new tag on this release branch
```sh
git tag v$ver
git tags --push
@ -98,6 +98,7 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
3. Close the milestone for the release
4. Move open issues and PRs from closed milestone to next milestone
8. If the release is a minor version release, create an empty commit on main and tag it as the start of the next pre-release phase.
```sh
nextMinorVer=$(echo $ver | awk -F. -v OFS=. '{$2 += 1 ; print}')
git checkout main

View File

@ -76,10 +76,10 @@ jobs:
shell: bash
id: image-type
run: |
if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == 'false') }}" = true ]
if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ]
then
echo "imageType=release" >> $GITHUB_OUTPUT
elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == 'true') }}" = true ]
elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ]
then
echo "imageType=debug" >> $GITHUB_OUTPUT
else
@ -90,7 +90,7 @@ jobs:
id: pki-set
shell: bash
run: |
if [ "${{ steps.image-type.outputs.image-type }}" = "release" ]
if [ "${{ steps.image-type.outputs.imageType }}" = "release" ]
then
echo "pkiSet=pki_prod" >> $GITHUB_OUTPUT
else

View File

@ -91,9 +91,9 @@ jobs:
grype constellation.spdx.sbom --fail-on high --only-fixed
env:
COSIGN_EXPERIMENTAL: 1
cosignPublicKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
cosignPassword: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
COSIGN_PRIVATE_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
- name: Create release with artifacts
# GitHub endorsed release project. See: https://github.com/actions/create-release

View File

@ -21,19 +21,41 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
### Added
- Sign generated SBOMs and store container image SBOMs in registry for easier usage.
### Changed
<!-- For changes in existing functionality. -->
### Deprecated
<!-- For soon-to-be removed features. -->
### Removed
<!-- For now removed features. -->
## [2.2.0] - 2022-11-08
### Added
- Sign generated SBOMs and store container image SBOMs in registry for easier usage.
- Support for Constellation on AWS.
- Constellation Kubernetes services are now managed using Helm.
- Use tags to mark all applicable resources using a Constellation's UID on Azure.
- Use labels to mark all applicable resources using a Constellation's UID on GCP.
### Changed
- Verify measurements using [Rekor](https://github.com/sigstore/rekor) transparency log.
- The `constellation create` on Azure now uses Terraform to create and destroy cloud resources.
- Constellation OS images are now based on Fedora directly and are built using [mkosi](https://github.com/systemd/mkosi).
- `constellation terminate` will now prompt the user for confirmation before destroying any resources (can be skipped with `--yes`).
- Use the `constellation-role` tag instead of `role` to indicate an instance's role on Azure.
- Use labels instead of metadata to apply the `constellation-uid` and `constellation-role` tags on GCP.
### Deprecated
<!-- For soon-to-be removed features. -->
- `access-manager` is no longer deployed.
### Removed
<!-- For now removed features. -->
- `endpoint` flag of `constellation init`. IP is now always taken from the `constellation-id.json` file.
- `constellation-state.json` file won't be created anymore. Resources are now managed through Terraform.
@ -43,8 +65,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Internal
- Support for AWS metadata operations
## [2.1.0] - 2022-10-07
### Added

View File

@ -1,5 +1,5 @@
cmake_minimum_required(VERSION 3.11)
project(constellation LANGUAGES C VERSION 2.1.0)
project(constellation LANGUAGES C VERSION 2.2.0)
set(CLI_BUILD_TAGS "" CACHE STRING "Tags passed to go build of Constellation CLI.")
enable_testing()

View File

@ -28,7 +28,7 @@ func newMiniDownCmd() *cobra.Command {
Args: cobra.ExactArgs(0),
RunE: runDown,
}
cmd.Flags().BoolP("yes", "y", false, "terminate the cluster without further confirmation")
return cmd
}

View File

@ -189,7 +189,7 @@ func prepareConfig(cmd *cobra.Command, fileHandler file.Handler) (*config.Config
}
// download image to current directory if it doesn't exist
const imagePath = "./constellation.qcow2"
const imagePath = "./constellation.raw"
if _, err := os.Stat(imagePath); err == nil {
cmd.Printf("Using existing image at %s\n\n", imagePath)
} else if errors.Is(err, os.ErrNotExist) {

View File

@ -2,35 +2,35 @@ apiVersion: v2
name: constellation-services
description: A chart to deploy all microservices that are part of a valid constellation cluster
type: application
version: 2.2.0-pre
version: 2.2.0
dependencies:
- name: kms
version: 2.2.0-pre
version: 2.2.0
tags:
- Azure
- GCP
- AWS
- QEMU
- name: join-service
version: 2.2.0-pre
version: 2.2.0
tags:
- Azure
- GCP
- AWS
- QEMU
- name: ccm
version: 2.2.0-pre
version: 2.2.0
tags:
- Azure
- GCP
- AWS
- name: cnm
version: 2.2.0-pre
version: 2.2.0
tags:
- Azure
- name: autoscaler
version: 2.2.0-pre
version: 2.2.0
tags:
- Azure
- GCP

View File

@ -2,4 +2,4 @@ apiVersion: v2
name: autoscaler
description: A Helm chart to deploy the cluster autoscaler.
type: application
version: 2.2.0-pre
version: 2.2.0

View File

@ -2,4 +2,4 @@ apiVersion: v2
name: ccm
description: A Helm chart to deploy the cloud controller manager.
type: application
version: 2.2.0-pre
version: 2.2.0

View File

@ -2,4 +2,4 @@ apiVersion: v2
name: cnm
description: A chart to deploy cloud node manager for constellation
type: application
version: 2.2.0-pre
version: 2.2.0

View File

@ -2,4 +2,4 @@ apiVersion: v2
name: join-service
description: A chart to deploy the Constellation join-service
type: application
version: 2.2.0-pre
version: 2.2.0

View File

@ -2,4 +2,4 @@ apiVersion: v2
name: kms
description: A Helm chart to deploy the Constellation Key Management Service
type: application
version: 2.2.0-pre
version: 2.2.0

View File

@ -268,7 +268,7 @@ func Default() *Config {
IAMProfileControlPlane: "",
IAMProfileWorkerNodes: "",
Measurements: copyPCRMap(awsPCRs),
EnforcedMeasurements: []uint32{}, // TODO: add default values
EnforcedMeasurements: []uint32{4, 8, 9, 11, 12, 13, 15},
},
Azure: &AzureConfig{
SubscriptionID: "",
@ -298,7 +298,7 @@ func Default() *Config {
EnforcedMeasurements: []uint32{0, 4, 8, 9, 11, 12, 13, 15},
},
QEMU: &QEMUConfig{
ImageFormat: "qcow2",
ImageFormat: "raw",
VCPUs: 2,
Memory: 2048,
MetadataAPIImage: versions.QEMUMetadataImage,
@ -306,7 +306,7 @@ func Default() *Config {
LibvirtContainerImage: versions.LibvirtImage,
Measurements: copyPCRMap(qemuPCRs),
EnforcedMeasurements: []uint32{4, 8, 9, 11, 12, 13, 15},
NVRAM: "testing",
NVRAM: "production",
},
},
KubernetesVersion: string(versions.Default),

View File

@ -9,6 +9,6 @@ SPDX-License-Identifier: AGPL-3.0-only
package config
const (
DefaultImageAzure = "/communityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/2.1.0"
DefaultImageGCP = "projects/constellation-images/global/images/constellation-v2-1-0"
DefaultImageAzure = "/communityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/2.2.0"
DefaultImageGCP = "projects/constellation-images/global/images/constellation-v2-2-0"
)

View File

@ -44,24 +44,24 @@ func IsPreviewK8sVersion(version ValidK8sVersion) bool {
const (
// Constellation images.
// These images are built in a way that they support all versions currently listed in VersionConfigs.
KonnectivityAgentImage = "us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.33@sha256:48f2a4ec3e10553a81b8dd1c6fa5fe4bcc9617f78e71c1ca89c6921335e2d7da" // renovate:container
KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.33@sha256:2c111f004bec24888d8cfa2a812a38fb8341350abac67dcd0ac64e709dfe389c" // renovate:container
JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v2.2.0-pre.0.20221102120022-1f9a788c213d@sha256:41bd333cae47e55d711dee93cd5da0fe3dc66885ab9949d0e76ffe07d2f7dd34" // renovate:container
AccessManagerImage = "ghcr.io/edgelesssys/constellation/access-manager:v2.2.0-pre.0.20221025135123-2d121d9243cf@sha256:08588f0c23353b53750b79122536260870d57b8dff1a1ff1020799e1e0b9f565" // renovate:container
KmsImage = "ghcr.io/edgelesssys/constellation/kmsserver:v2.2.0-pre.0.20221026125949-06ce47d16cbd@sha256:544ef14afee3ddca26effb9bacc858a8ee009bca409c7c3c042abc8a1345226b" // renovate:container
VerificationImage = "ghcr.io/edgelesssys/constellation/verification-service:v2.2.0-pre.0.20221104104941-44b1a92d6bdf@sha256:9c550900be4eed8e192dc582910dda492267c2a69a43f6423992212e1adf7a1e" // renovate:container
KonnectivityAgentImage = "us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.33@sha256:48f2a4ec3e10553a81b8dd1c6fa5fe4bcc9617f78e71c1ca89c6921335e2d7da" // renovate:container
KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.33@sha256:2c111f004bec24888d8cfa2a812a38fb8341350abac67dcd0ac64e709dfe389c" // renovate:container
JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v2.2.0@sha256:8d2c4483e4bee8b2ed1eb32ad35298f51ad167e0aa074c9bc45c2a75ec0d1a22" // renovate:container
AccessManagerImage = "ghcr.io/edgelesssys/constellation/access-manager:v2.2.0@sha256:e6aa2ef3a65e7d4be25569ad9cbf6cee1dafa2c00734fa85aeb4e56a5943f88e" // renovate:container
KmsImage = "ghcr.io/edgelesssys/constellation/kmsserver:v2.2.0@sha256:df72c9a8e75a848023a4b86faf3399efb8693b980e324eaa41823bc6d0a15006" // renovate:container
VerificationImage = "ghcr.io/edgelesssys/constellation/verification-service:v2.2.0@sha256:c928077e535507af7148c083bb1bde4d187eab8aee0e82be06f9b794aa2442e7" // renovate:container
// Check for new versions at https://github.com/GoogleCloudPlatform/guest-agent/releases and update in /.github/workflows/build-gcp-guest-agent.yml.
GcpGuestImage = "ghcr.io/edgelesssys/gcp-guest-agent:20220927.00@sha256:3dea1ae3f162d2353e6584b325f0e325a39cda5f380f41e5a0ee43c6641d3905" // renovate:container
NodeOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-operator-catalog:v2.2.0-pre.0.20221024145821-b35b74b77278@sha256:f1ee4e2642fd758083344df10a98195213dda299fbbc720bf57873e392e001f1" // renovate:container
GcpGuestImage = "ghcr.io/edgelesssys/gcp-guest-agent:20220927.00@sha256:3dea1ae3f162d2353e6584b325f0e325a39cda5f380f41e5a0ee43c6641d3905" // renovate:container
NodeOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-operator-catalog:v2.2.0@sha256:543ebc67183b580cfeda9e14ff3a0c5056813847ad3605719b54d72b22427a69" // renovate:container
// TODO: switch node maintenance operator catalog back to upstream quay.io/medik8s/node-maintenance-operator-catalog
// once https://github.com/medik8s/node-maintenance-operator/issues/49 is resolved.
NodeMaintenanceOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-maintenance-operator-catalog:v0.13.1-alpha1@sha256:d382c3aaf9bc470cde6f6c05c2c6ff5c9dcfd90540d5b11f9cf69c4e1dd1ca9d" // renovate:container
QEMUMetadataImage = "ghcr.io/edgelesssys/constellation/qemu-metadata-api:v2.1.0@sha256:abfc36fcd02a145412074cdbb54597878594aa1cfb0ffd66e36d3b3e95ee9e7f" // renovate:container
LibvirtImage = "ghcr.io/edgelesssys/constellation/libvirt:v2.2.0-pre.0.20221021080602-f3d78a573fb2@sha256:f42fa5f009415f2c6631b83e8831790d324c27d5f3ae883c59ea7bfeba50facd" // renovate:container
QEMUMetadataImage = "ghcr.io/edgelesssys/constellation/qemu-metadata-api:v2.2.0@sha256:3c173639bbd258f56c7f4e97fa5dc7b7c63d7d45f96f7d7af5c43ed9eb2258ac" // renovate:container
LibvirtImage = "ghcr.io/edgelesssys/constellation/libvirt:v2.2.0@sha256:81ddc30cd679a95379e94e2f154861d9112bcabfffa96330c09a4917693f7cce" // renovate:container
// ConstellationQEMUImageURL is the artifact URL for QEMU qcow2 images.
ConstellationQEMUImageURL = "https://d1gl9j3ejrmbpr.cloudfront.net/mini-constellation-v2.1.0.qcow2"
ConstellationQEMUImageURL = "https://cdn.confidential.cloud/constellation/images/mini-constellation/v2.2.0/constellation.raw"
// currently supported versions.
//nolint:revive