From 56dccb77b4d6fd4c4062afcb967cb7cbad0c387d Mon Sep 17 00:00:00 2001 From: Fabian Kammel Date: Fri, 18 Nov 2022 10:24:45 +0100 Subject: [PATCH] Merge back changes from v2.2.2 release (#580) * prepare v2.2.2 release and update release.md * Updated QEMU measurements * Terraform GCP: Always use the local account for resource creation (#571) * CoreOS is no longer used, change docs to OS. Signed-off-by: Fabian Kammel Co-authored-by: Malte Poll --- .github/docs/release.md | 57 ++++++++++++++++--- CHANGELOG.md | 11 +++- CMakeLists.txt | 2 +- .../constellation-services/Chart.yaml | 12 ++-- .../charts/autoscaler/Chart.yaml | 2 +- .../charts/ccm/Chart.yaml | 2 +- .../charts/cnm/Chart.yaml | 2 +- .../charts/join-service/Chart.yaml | 2 +- .../charts/kms/Chart.yaml | 2 +- internal/config/images_enterprise.go | 4 +- internal/versions/versions.go | 2 +- 11 files changed, 75 insertions(+), 23 deletions(-) diff --git a/.github/docs/release.md b/.github/docs/release.md index 9d37d8236..6f32674da 100644 --- a/.github/docs/release.md +++ b/.github/docs/release.md @@ -52,15 +52,33 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers 2. Create a new block for unreleased changes 5. Update project version in [CMakeLists.txt](/CMakeLists.txt) to `1.3.0` (without v). 6. Update the `version` key in [constellation-services/Chart.yaml](/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml). Also update the `version` key for all subcharts, e.g. [Chart.yaml](/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/Chart.yaml). Lastly, update the `dependencies.*.version` key for all dependencies in the main chart [constellation-services/Chart.yaml](/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml). - 7. When the microservice builds are finished update versions in [versions.go](../../internal/versions/versions.go#L33-L39) to `v1.3.0`, **add the container hashes** and **push your changes**. - 8. Create a [production coreOS image](/.github/workflows/build-coreos.yml) + 7. Update [default image versions in enterprise config](/internal/config/images_enterprise.go) + 8. Increase version number of QEMU image `ConstellationQEMUImageURL` in [versions.go](../../internal/versions/versions.go#L64) + 9. When the microservice builds are finished update versions in [versions.go](../../internal/versions/versions.go#L33-L39) to `v1.3.0`, **add the container hashes** and **push your changes**. + + ```sh + # crane: https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md + crane digest ghcr.io/edgelesssys/constellation/node-operator-catalog:v$ver + crane digest ghcr.io/edgelesssys/constellation/join-service:v$ver + crane digest ghcr.io/edgelesssys/constellation/access-manager:v$ver + crane digest ghcr.io/edgelesssys/constellation/kmsserver:v$ver + crane digest ghcr.io/edgelesssys/constellation/verification-service:v$ver + ``` + + 10. Create a [production OS image](/.github/workflows/build-os-image.yml) ```sh gh workflow run build-os-image.yml --ref release/v$minor -F debug=false -F imageVersion=v$ver ``` - 9. Update [default images in config](/internal/config/images_enterprise.go) - 10. Run manual E2E tests using [Linux](/.github/workflows/e2e-test-manual.yml) and [macOS](/.github/workflows/e2e-test-manual-macos.yml) to confirm functionality and stability. + * Once the pipeline has finished, download the artifact `image-qemu`. + * Unzip the downloaded artifact, rename it to `constellation.raw`. + * Go to the [S3 bucket for QEMU images](https://s3.console.aws.amazon.com/s3/buckets/cdn-constellation-backend?region=eu-central-1&prefix=constellation/images/mini-constellation/&showversions=false) + * Create a new folder for the given version, and upload `constellation.raw` into it. + + * Replace AWS AMIs for this version and next in docs in `first-steps.md`. + + 11. Run manual E2E tests using [Linux](/.github/workflows/e2e-test-manual.yml) and [macOS](/.github/workflows/e2e-test-manual-macos.yml) to confirm functionality and stability. ```sh gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F test="sonobuoy full" -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false @@ -69,14 +87,14 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F test="sonobuoy full" -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false ``` - 11. [Generate measurements](/.github/workflows/generate-measurements.yml) for the images on each CSP. + 12. [Generate measurements](/.github/workflows/generate-measurements.yml) for the images on each CSP. ```sh gh workflow run generate-measurements.yml --ref release/v$minor -F cloudProvider=azure -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false gh workflow run generate-measurements.yml --ref release/v$minor -F cloudProvider=gcp -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false ``` - 12. Create a new tag on this release branch + 13. Create a new tag on this release branch ```sh git tag v$ver @@ -90,7 +108,22 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers ``` * The previous step will create a draft release. Check build output for link to draft release. Review & approve. -6. Follow [export flow (INTERNAL)](https://github.com/edgelesssys/wiki/blob/master/documentation/constellation/customer-onboarding.md#manual-export-and-import) to make image available in S3 for trusted launch users. +6. Export, download and make image available in S3 for trusted launch users. To achieve this: + + ```sh + TARGET_DISK=export-${ver} + az disk create -g constellation-images -l westus -n ${TARGET_DISK} --hyper-v-generation V2 --os-type Linux --sku standard_lrs --security-type TrustedLaunch --gallery-image-reference /subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/${ver} + ``` + + * Find the created resource in Azure + * Go to `Settings` -> `Export` and `Generate URLs` + * Download both the disk image (first link) and VM state (second link) + * Rename disk (`abcd`) to `constellation.img`. + * Rename state (UUID) to `constellation.vmgs`. + * Go to [AWS S3 bucket for trusted launch](https://s3.console.aws.amazon.com/s3/buckets/cdn-constellation-backend?prefix=constellation/images/azure/trusted-launch/®ion=eu-central-1), create a new folder with the given version number. + * Upload both image and state into the newly created folder. + * Delete the disk in Azure! + 7. To bring updated version numbers and other changes (if any) to main, create a new branch `feat/release` from `release/v1.3`, rebase it onto main, and create a PR to main 8. Milestones management 1. Create a new milestone for the next release @@ -107,3 +140,13 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers git tag v$nextMinorVer-pre git push origin main v$nextMinorVer-pre ``` + +10. Test Constellation mini up + +11. Upload AWS measurements to S3 bucket: + * Create an AWS cluster using the released version. + * Use `hack/pcr-reader` to download measurements. + * Create a new folder named after each AWS AMI in [S3 public bucket](https://s3.console.aws.amazon.com/s3/buckets/public-edgeless-constellation?region=us-east-2&tab=objects). + * Keep measurements: 4, 8, 9, 11, 12, 13. + * Sign the measurements using `cosign sign-blob`. + * Upload both `measurements.yaml` & `measurements.yaml.sig` to each created folder in S3. diff --git a/CHANGELOG.md b/CHANGELOG.md index 0b10e8925..4042c92a5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - `access-manager` was removed from code base. K8s native way to SSH into nodes documented. +### Fixed + ### Security @@ -43,7 +45,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - `constellation create` on GCP now always uses the local default credentials. -## [2.2.1] - 2022-11-14 +## [2.2.2] - 2022-11-17 + +### Fixed + +- `constellation create` on GCP now always uses the local default credentials. +- A release process error encountered in v2.2.1. This led to a broken QEMU-based Constellation deployment, where PCR[8] didn't match. + +## [2.2.1] - 2022-11-16 ### Changed diff --git a/CMakeLists.txt b/CMakeLists.txt index 8f86e373d..fbd408dcf 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,5 +1,5 @@ cmake_minimum_required(VERSION 3.11) -project(constellation LANGUAGES C VERSION 2.2.1) +project(constellation LANGUAGES C VERSION 2.2.2) set(CLI_BUILD_TAGS "" CACHE STRING "Tags passed to go build of Constellation CLI.") enable_testing() diff --git a/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml index 244b71f62..d606bc1f4 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml @@ -2,35 +2,35 @@ apiVersion: v2 name: constellation-services description: A chart to deploy all microservices that are part of a valid constellation cluster type: application -version: 2.2.1 +version: 2.2.2 dependencies: - name: kms - version: 2.2.1 + version: 2.2.2 tags: - Azure - GCP - AWS - QEMU - name: join-service - version: 2.2.1 + version: 2.2.2 tags: - Azure - GCP - AWS - QEMU - name: ccm - version: 2.2.1 + version: 2.2.2 tags: - Azure - GCP - AWS - name: cnm - version: 2.2.1 + version: 2.2.2 tags: - Azure - name: autoscaler - version: 2.2.1 + version: 2.2.2 tags: - Azure - GCP diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/autoscaler/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/autoscaler/Chart.yaml index 4ac29e9f3..1ffddc4a3 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/autoscaler/Chart.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/autoscaler/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: autoscaler description: A Helm chart to deploy the cluster autoscaler. type: application -version: 2.2.1 +version: 2.2.2 diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/Chart.yaml index a5560c952..1c2ebe5d8 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/Chart.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: ccm description: A Helm chart to deploy the cloud controller manager. type: application -version: 2.2.1 +version: 2.2.2 diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/Chart.yaml index f546742dd..226e5a43b 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/Chart.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: cnm description: A chart to deploy cloud node manager for constellation type: application -version: 2.2.1 +version: 2.2.2 diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/Chart.yaml index 54b733bb1..37afc68a1 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/Chart.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: join-service description: A chart to deploy the Constellation join-service type: application -version: 2.2.1 +version: 2.2.2 diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/Chart.yaml index e5f64e131..4309d1ee7 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/Chart.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: kms description: A Helm chart to deploy the Constellation Key Management Service type: application -version: 2.2.1 +version: 2.2.2 diff --git a/internal/config/images_enterprise.go b/internal/config/images_enterprise.go index 8f85aefec..020b66b1a 100644 --- a/internal/config/images_enterprise.go +++ b/internal/config/images_enterprise.go @@ -9,6 +9,6 @@ SPDX-License-Identifier: AGPL-3.0-only package config const ( - DefaultImageAzure = "/communityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/2.2.1" - DefaultImageGCP = "projects/constellation-images/global/images/constellation-v2-2-1" + DefaultImageAzure = "/communityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/2.2.2" + DefaultImageGCP = "projects/constellation-images/global/images/constellation-v2-2-2" ) diff --git a/internal/versions/versions.go b/internal/versions/versions.go index 036b642b7..d0b31818a 100644 --- a/internal/versions/versions.go +++ b/internal/versions/versions.go @@ -73,7 +73,7 @@ const ( LibvirtImage = "ghcr.io/edgelesssys/constellation/libvirt:v2.2.0@sha256:81ddc30cd679a95379e94e2f154861d9112bcabfffa96330c09a4917693f7cce" // renovate:container // ConstellationQEMUImageURL is the artifact URL for QEMU qcow2 images. - ConstellationQEMUImageURL = "https://cdn.confidential.cloud/constellation/images/mini-constellation/v2.2.1/constellation.raw" + ConstellationQEMUImageURL = "https://cdn.confidential.cloud/constellation/images/mini-constellation/v2.2.2/constellation.raw" // currently supported versions. //nolint:revive