Bring in changes from release branch (#479)

* Bump version to v2.2.0 * Update changelog * Fix release detection in pipeline * Fix PKI selection in pipeline * Set enforced measurements for AWS * Update default images * Fix release docs * Update mini-con defaults * Fix measurements action * Fix syft env variable naming Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-10-01 01:36:09 -04:00 · 2022-11-08 18:32:59 +01:00 · 2022-11-08 18:32:59 +01:00 · 011f9c597d
commit 011f9c597d
parent 2b64f31104
17 changed files with 75 additions and 46 deletions
--- a/.github/actions/generate_measurements/action.yml
+++ b/.github/actions/generate_measurements/action.yml
@ -49,6 +49,9 @@ inputs:
  azureResourceGroup:
    description: "The resource group to use"
    required: false
+  azureUserAssignedIdentity:
+     description: "The Azure user assigned identity to use for Constellation."
+     required: false
  cosignPublicKey:
    description: "Cosign public key to sign measurements."
    required: true
@ -95,6 +98,7 @@ runs:
      uses: ./.github/actions/constellation_create
      with:
        cloudProvider: ${{ inputs.cloudProvider }}
+        gcpProject: ${{ inputs.gcpProject }}
        gcpClusterServiceAccountKey: ${{ inputs.gcpClusterServiceAccountKey }}
        workerNodesCount: ${{ inputs.workerNodesCount }}
        controlNodesCount: ${{ inputs.controlNodesCount }}
@ -102,7 +106,11 @@ runs:
        osImage: ${{ inputs.osImage }}
        isDebugImage: ${{ inputs.isDebugImage }}
        kubernetesVersion: ${{ inputs.kubernetesVersion }}
+        azureSubscription: ${{ inputs.azureSubscription }}
+        azureTenant: ${{ inputs.azureTenant }}
+        azureClientID: ${{ inputs.azureClientID }}
        azureClientSecret: ${{ inputs.azureClientSecret }}
+        azureUserAssignedIdentity: ${{ inputs.azureUserAssignedIdentity }}
        azureResourceGroup: ${{ inputs.azureResourceGroup }}

    - name: Measure cluster
--- a/.github/docs/release.md
+++ b/.github/docs/release.md
@ -63,11 +63,10 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
    10. Run manual E2E tests using [Linux](/.github/workflows/e2e-test-manual.yml) and [macOS](/.github/workflows/e2e-test-manual-macos.yml) to confirm functionality and stability.

        ```sh
-        sono='--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml'
-        gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F sonobuoyTestSuiteCmd="$sono" -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
-        gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F sonobuoyTestSuiteCmd="$sono" -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
-        gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F sonobuoyTestSuiteCmd="$sono" -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
-        gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F sonobuoyTestSuiteCmd="$sono" -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
+        gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F test="sonobuoy full" -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
+        gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F test="sonobuoy full" -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
+        gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F test="sonobuoy full" -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
+        gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F test="sonobuoy full" -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
        ```

    11. [Generate measurements](/.github/workflows/generate-measurements.yml) for the images on each CSP.
@ -78,6 +77,7 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
        ```

    12. Create a new tag on this release branch
+
        ```sh
        git tag v$ver
        git tags --push
@ -98,6 +98,7 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
   3. Close the milestone for the release
   4. Move open issues and PRs from closed milestone to next milestone
 8. If the release is a minor version release, create an empty commit on main and tag it as the start of the next pre-release phase.
+
    ```sh
    nextMinorVer=$(echo $ver | awk -F. -v OFS=. '{$2 += 1 ; print}')
    git checkout main
--- a/.github/workflows/build-os-image.yml
+++ b/.github/workflows/build-os-image.yml
@ -76,10 +76,10 @@ jobs:
        shell: bash
        id: image-type
        run: |
-          if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == 'false') }}" = true ]
+          if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ]
          then
            echo "imageType=release" >> $GITHUB_OUTPUT
-          elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == 'true') }}" = true ]
+          elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ]
          then
            echo "imageType=debug" >> $GITHUB_OUTPUT
          else
@ -90,7 +90,7 @@ jobs:
        id: pki-set
        shell: bash
        run: |
-          if [ "${{ steps.image-type.outputs.image-type }}" = "release" ]
+          if [ "${{ steps.image-type.outputs.imageType }}" = "release" ]
          then
            echo "pkiSet=pki_prod" >> $GITHUB_OUTPUT
          else
--- a/.github/workflows/release-cli.yml
+++ b/.github/workflows/release-cli.yml
@ -91,9 +91,9 @@ jobs:
          grype constellation.spdx.sbom --fail-on high --only-fixed
        env:
          COSIGN_EXPERIMENTAL: 1
-          cosignPublicKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
-          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
-          cosignPassword: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
+          COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
+          COSIGN_PRIVATE_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

      - name: Create release with artifacts
        # GitHub endorsed release project. See: https://github.com/actions/create-release
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -21,19 +21,41 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]

 ### Added
- Sign generated SBOMs and store container image SBOMs in registry for easier usage.

 ### Changed
 <!-- For changes in existing functionality.  -->
+
+### Deprecated
+<!-- For soon-to-be removed features. -->
+
+### Removed
+<!-- For now removed features. -->
+
+## [2.2.0] - 2022-11-08
+
+### Added
+
+- Sign generated SBOMs and store container image SBOMs in registry for easier usage.
+- Support for Constellation on AWS.
+- Constellation Kubernetes services are now managed using Helm.
+- Use tags to mark all applicable resources using a Constellation's UID on Azure.
+- Use labels to mark all applicable resources using a Constellation's UID on GCP.
+
+### Changed
+
 - Verify measurements using [Rekor](https://github.com/sigstore/rekor) transparency log.
 - The `constellation create` on Azure now uses Terraform to create and destroy cloud resources.
 - Constellation OS images are now based on Fedora directly and are built using [mkosi](https://github.com/systemd/mkosi).
 - `constellation terminate` will now prompt the user for confirmation before destroying any resources (can be skipped with `--yes`).
+- Use the `constellation-role` tag instead of `role` to indicate an instance's role on Azure.
+- Use labels instead of metadata to apply the `constellation-uid` and `constellation-role` tags on GCP.

 ### Deprecated
-<!-- For soon-to-be removed features. -->
+
+- `access-manager` is no longer deployed.
+
 ### Removed
-<!-- For now removed features. -->
+
 - `endpoint` flag of `constellation init`. IP is now always taken from the `constellation-id.json` file.
 - `constellation-state.json` file won't be created anymore. Resources are now managed through Terraform.

@ -43,8 +65,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ### Internal

- Support for AWS metadata operations
-
 ## [2.1.0] - 2022-10-07

 ### Added
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -1,5 +1,5 @@
 cmake_minimum_required(VERSION 3.11)
-project(constellation LANGUAGES C VERSION 2.1.0)
+project(constellation LANGUAGES C VERSION 2.2.0)
 set(CLI_BUILD_TAGS "" CACHE STRING "Tags passed to go build of Constellation CLI.")

 enable_testing()
--- a/cli/internal/cmd/minidown.go
+++ b/cli/internal/cmd/minidown.go
@ -28,7 +28,7 @@ func newMiniDownCmd() *cobra.Command {
 		Args:  cobra.ExactArgs(0),
 		RunE:  runDown,
 	}
-
+	cmd.Flags().BoolP("yes", "y", false, "terminate the cluster without further confirmation")
 	return cmd
 }

--- a/cli/internal/cmd/miniup.go
+++ b/cli/internal/cmd/miniup.go
@ -189,7 +189,7 @@ func prepareConfig(cmd *cobra.Command, fileHandler file.Handler) (*config.Config
 	}

 	// download image to current directory if it doesn't exist
-	const imagePath = "./constellation.qcow2"
+	const imagePath = "./constellation.raw"
 	if _, err := os.Stat(imagePath); err == nil {
 		cmd.Printf("Using existing image at %s\n\n", imagePath)
 	} else if errors.Is(err, os.ErrNotExist) {
--- a/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml
@ -2,35 +2,35 @@ apiVersion: v2
 name: constellation-services
 description: A chart to deploy all microservices that are part of a valid constellation cluster
 type: application
-version: 2.2.0-pre
+version: 2.2.0

 dependencies:
  - name: kms
-    version: 2.2.0-pre
+    version: 2.2.0
    tags:
      - Azure
      - GCP
      - AWS
      - QEMU
  - name: join-service
-    version: 2.2.0-pre
+    version: 2.2.0
    tags:
      - Azure
      - GCP
      - AWS
      - QEMU
  - name: ccm
-    version: 2.2.0-pre
+    version: 2.2.0
    tags:
      - Azure
      - GCP
      - AWS
  - name: cnm
-    version: 2.2.0-pre
+    version: 2.2.0
    tags:
      - Azure
  - name: autoscaler
-    version: 2.2.0-pre
+    version: 2.2.0
    tags:
      - Azure
      - GCP
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/autoscaler/Chart.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/autoscaler/Chart.yaml
@ -2,4 +2,4 @@ apiVersion: v2
 name: autoscaler
 description: A Helm chart to deploy the cluster autoscaler.
 type: application
-version: 2.2.0-pre
+version: 2.2.0
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/Chart.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/Chart.yaml
@ -2,4 +2,4 @@ apiVersion: v2
 name: ccm
 description: A Helm chart to deploy the cloud controller manager.
 type: application
-version: 2.2.0-pre
+version: 2.2.0
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/Chart.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/Chart.yaml
@ -2,4 +2,4 @@ apiVersion: v2
 name: cnm
 description: A chart to deploy cloud node manager for constellation
 type: application
-version: 2.2.0-pre
+version: 2.2.0
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/Chart.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/Chart.yaml
@ -2,4 +2,4 @@ apiVersion: v2
 name: join-service
 description: A chart to deploy the Constellation join-service
 type: application
-version: 2.2.0-pre
+version: 2.2.0
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/Chart.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/Chart.yaml
@ -2,4 +2,4 @@ apiVersion: v2
 name: kms
 description: A Helm chart to deploy the Constellation Key Management Service
 type: application
-version: 2.2.0-pre
+version: 2.2.0
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -268,7 +268,7 @@ func Default() *Config {
 				IAMProfileControlPlane: "",
 				IAMProfileWorkerNodes:  "",
 				Measurements:           copyPCRMap(awsPCRs),
-				EnforcedMeasurements:   []uint32{}, // TODO: add default values
+				EnforcedMeasurements:   []uint32{4, 8, 9, 11, 12, 13, 15},
 			},
 			Azure: &AzureConfig{
 				SubscriptionID:       "",
@ -298,7 +298,7 @@ func Default() *Config {
 				EnforcedMeasurements:  []uint32{0, 4, 8, 9, 11, 12, 13, 15},
 			},
 			QEMU: &QEMUConfig{
-				ImageFormat:           "qcow2",
+				ImageFormat:           "raw",
 				VCPUs:                 2,
 				Memory:                2048,
 				MetadataAPIImage:      versions.QEMUMetadataImage,
@ -306,7 +306,7 @@ func Default() *Config {
 				LibvirtContainerImage: versions.LibvirtImage,
 				Measurements:          copyPCRMap(qemuPCRs),
 				EnforcedMeasurements:  []uint32{4, 8, 9, 11, 12, 13, 15},
-				NVRAM:                 "testing",
+				NVRAM:                 "production",
 			},
 		},
 		KubernetesVersion: string(versions.Default),
--- a/internal/config/images_enterprise.go
+++ b/internal/config/images_enterprise.go
@ -9,6 +9,6 @@ SPDX-License-Identifier: AGPL-3.0-only
 package config

 const (
-	DefaultImageAzure = "/communityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/2.1.0"
-	DefaultImageGCP   = "projects/constellation-images/global/images/constellation-v2-1-0"
+	DefaultImageAzure = "/communityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/2.2.0"
+	DefaultImageGCP   = "projects/constellation-images/global/images/constellation-v2-2-0"
 )
--- a/internal/versions/versions.go
+++ b/internal/versions/versions.go
@ -46,22 +46,22 @@ const (
 	// These images are built in a way that they support all versions currently listed in VersionConfigs.
 	KonnectivityAgentImage  = "us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.33@sha256:48f2a4ec3e10553a81b8dd1c6fa5fe4bcc9617f78e71c1ca89c6921335e2d7da" // renovate:container
 	KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.33@sha256:2c111f004bec24888d8cfa2a812a38fb8341350abac67dcd0ac64e709dfe389c"             // renovate:container
-	JoinImage               = "ghcr.io/edgelesssys/constellation/join-service:v2.2.0-pre.0.20221102120022-1f9a788c213d@sha256:41bd333cae47e55d711dee93cd5da0fe3dc66885ab9949d0e76ffe07d2f7dd34"         // renovate:container
-	AccessManagerImage      = "ghcr.io/edgelesssys/constellation/access-manager:v2.2.0-pre.0.20221025135123-2d121d9243cf@sha256:08588f0c23353b53750b79122536260870d57b8dff1a1ff1020799e1e0b9f565"       // renovate:container
-	KmsImage                = "ghcr.io/edgelesssys/constellation/kmsserver:v2.2.0-pre.0.20221026125949-06ce47d16cbd@sha256:544ef14afee3ddca26effb9bacc858a8ee009bca409c7c3c042abc8a1345226b"            // renovate:container
-	VerificationImage       = "ghcr.io/edgelesssys/constellation/verification-service:v2.2.0-pre.0.20221104104941-44b1a92d6bdf@sha256:9c550900be4eed8e192dc582910dda492267c2a69a43f6423992212e1adf7a1e" // renovate:container
+	JoinImage               = "ghcr.io/edgelesssys/constellation/join-service:v2.2.0@sha256:8d2c4483e4bee8b2ed1eb32ad35298f51ad167e0aa074c9bc45c2a75ec0d1a22"              // renovate:container
+	AccessManagerImage      = "ghcr.io/edgelesssys/constellation/access-manager:v2.2.0@sha256:e6aa2ef3a65e7d4be25569ad9cbf6cee1dafa2c00734fa85aeb4e56a5943f88e"            // renovate:container
+	KmsImage                = "ghcr.io/edgelesssys/constellation/kmsserver:v2.2.0@sha256:df72c9a8e75a848023a4b86faf3399efb8693b980e324eaa41823bc6d0a15006"                 // renovate:container
+	VerificationImage       = "ghcr.io/edgelesssys/constellation/verification-service:v2.2.0@sha256:c928077e535507af7148c083bb1bde4d187eab8aee0e82be06f9b794aa2442e7"      // renovate:container
 	// Check for new versions at https://github.com/GoogleCloudPlatform/guest-agent/releases and update in /.github/workflows/build-gcp-guest-agent.yml.
 	GcpGuestImage            = "ghcr.io/edgelesssys/gcp-guest-agent:20220927.00@sha256:3dea1ae3f162d2353e6584b325f0e325a39cda5f380f41e5a0ee43c6641d3905"                // renovate:container
-	NodeOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-operator-catalog:v2.2.0-pre.0.20221024145821-b35b74b77278@sha256:f1ee4e2642fd758083344df10a98195213dda299fbbc720bf57873e392e001f1" // renovate:container
+	NodeOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-operator-catalog:v2.2.0@sha256:543ebc67183b580cfeda9e14ff3a0c5056813847ad3605719b54d72b22427a69" // renovate:container
 	// TODO: switch node maintenance operator catalog back to upstream quay.io/medik8s/node-maintenance-operator-catalog
 	// once https://github.com/medik8s/node-maintenance-operator/issues/49 is resolved.
 	NodeMaintenanceOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-maintenance-operator-catalog:v0.13.1-alpha1@sha256:d382c3aaf9bc470cde6f6c05c2c6ff5c9dcfd90540d5b11f9cf69c4e1dd1ca9d" // renovate:container

-	QEMUMetadataImage = "ghcr.io/edgelesssys/constellation/qemu-metadata-api:v2.1.0@sha256:abfc36fcd02a145412074cdbb54597878594aa1cfb0ffd66e36d3b3e95ee9e7f"                         // renovate:container
-	LibvirtImage      = "ghcr.io/edgelesssys/constellation/libvirt:v2.2.0-pre.0.20221021080602-f3d78a573fb2@sha256:f42fa5f009415f2c6631b83e8831790d324c27d5f3ae883c59ea7bfeba50facd" // renovate:container
+	QEMUMetadataImage = "ghcr.io/edgelesssys/constellation/qemu-metadata-api:v2.2.0@sha256:3c173639bbd258f56c7f4e97fa5dc7b7c63d7d45f96f7d7af5c43ed9eb2258ac" // renovate:container
+	LibvirtImage      = "ghcr.io/edgelesssys/constellation/libvirt:v2.2.0@sha256:81ddc30cd679a95379e94e2f154861d9112bcabfffa96330c09a4917693f7cce"           // renovate:container

 	// ConstellationQEMUImageURL is the artifact URL for QEMU qcow2 images.
-	ConstellationQEMUImageURL = "https://d1gl9j3ejrmbpr.cloudfront.net/mini-constellation-v2.1.0.qcow2"
+	ConstellationQEMUImageURL = "https://cdn.confidential.cloud/constellation/images/mini-constellation/v2.2.0/constellation.raw"

 	// currently supported versions.
 	//nolint:revive