From 65d28f913f95d5479f9d8747f0cf3413e4ff5e0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= Date: Thu, 25 Jan 2024 15:32:19 +0100 Subject: [PATCH] Allow starting e2e tests based on attestation variant instead of csp MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Daniel Weiße --- .github/actions/cdbg_deploy/action.yml | 4 + .../actions/constellation_create/action.yml | 14 +- .../constellation_iam_create/action.yml | 5 +- .../actions/deploy_logcollection/action.yml | 4 + .github/actions/e2e_benchmark/action.yml | 4 + .github/actions/e2e_malicious_join/action.yml | 5 +- .github/actions/e2e_test/action.yml | 10 +- .github/actions/e2e_verify/action.yml | 15 +- .github/actions/notify_e2e_failure/action.yml | 6 +- .../actions/self_managed_create/action.yml | 5 +- .github/workflows/e2e-test-daily.yml | 20 ++- .github/workflows/e2e-test-internal-lb.yml | 15 +- .../workflows/e2e-test-marketplace-image.yml | 14 +- .github/workflows/e2e-test-release.yml | 120 ++++++++++---- .github/workflows/e2e-test-self-managed.yml | 15 +- .../workflows/e2e-test-terraform-provider.yml | 15 +- .github/workflows/e2e-test-weekly.yml | 155 +++++++++++++----- .github/workflows/e2e-test.yml | 46 ++++-- .github/workflows/e2e-upgrade.yml | 71 ++++---- debugd/internal/debugd/logcollector/fields.go | 11 +- 20 files changed, 377 insertions(+), 177 deletions(-) diff --git a/.github/actions/cdbg_deploy/action.yml b/.github/actions/cdbg_deploy/action.yml index d2c7f4140..9009c3043 100644 --- a/.github/actions/cdbg_deploy/action.yml +++ b/.github/actions/cdbg_deploy/action.yml @@ -14,6 +14,9 @@ inputs: cloudProvider: description: "The cloud provider to use." required: true + attestationVariant: + description: "Attestation variant of the cluster." + required: false kubernetesVersion: description: "Kubernetes version to create the cluster from." required: true @@ -98,6 +101,7 @@ runs: --info logcollect.github.ref-stream="${{ inputs.refStream }}" \ --info logcollect.github.kubernetes-version="${{ inputs.kubernetesVersion }}" \ --info logcollect.github.cluster-creation="${{ inputs.clusterCreation }}" \ + --info logcollect.github.attestation-variant="${{ inputs.attestationVariant }}" \ --info logcollect.deployment-type="debugd" \ --verbosity=-1 \ --force diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml index fa2d8f7e3..9da2923ca 100644 --- a/.github/actions/constellation_create/action.yml +++ b/.github/actions/constellation_create/action.yml @@ -11,6 +11,9 @@ inputs: cloudProvider: description: "Either 'gcp', 'aws' or 'azure'." required: true + attestationVariant: + description: "Attestation variant to use." + required: true machineType: description: "Machine type of VM to spawn." required: false @@ -83,7 +86,7 @@ runs: if: inputs.azureSNPEnforcementPolicy != '' shell: bash run: | - if [[ ${{ inputs.cloudProvider }} != 'azure' ]]; then + if [[ ${{ inputs.attestationVariant }} != 'azure-sev-snp' ]]; then echo "SNP enforcement policy is only supported for Azure" exit 1 fi @@ -161,24 +164,21 @@ runs: if : inputs.clusterCreation != 'self-managed' shell: bash run: | - # TODO(v2.14): Remove workaround for CLIs not supporting apply command - cmd='apply --skip-phases=init,attestationconfig,certsans,helm,image,k8s' - if constellation --help | grep -q create; then - cmd=create - fi - constellation $cmd -y --debug --tf-log=DEBUG + constellation apply --skip-phases=init,attestationconfig,certsans,helm,image,k8s -y --debug --tf-log=DEBUG - name: Constellation create (self-managed) if : inputs.clusterCreation == 'self-managed' uses: ./.github/actions/self_managed_create with: cloudProvider: ${{ inputs.cloudProvider }} + attestationVariant: ${{ inputs.attestationVariant }} - name: Cdbg deploy if: inputs.isDebugImage == 'true' uses: ./.github/actions/cdbg_deploy with: cloudProvider: ${{ inputs.cloudProvider }} + attestationVariant: ${{ inputs.attestationVariant }} test: ${{ inputs.test }} azureClusterCreateCredentials: ${{ inputs.azureClusterCreateCredentials }} azureIAMCreateCredentials: ${{ inputs.azureIAMCreateCredentials }} diff --git a/.github/actions/constellation_iam_create/action.yml b/.github/actions/constellation_iam_create/action.yml index f5f307e88..aca32378e 100644 --- a/.github/actions/constellation_iam_create/action.yml +++ b/.github/actions/constellation_iam_create/action.yml @@ -5,6 +5,9 @@ inputs: cloudProvider: description: "Either 'aws', 'azure' or 'gcp'." required: true + attestationVariant: + description: "The attestation variant to use." + required: true kubernetesVersion: description: "Kubernetes version to create the cluster from." required: false @@ -46,7 +49,7 @@ runs: fi echo "flag=--update-config" | tee -a "$GITHUB_OUTPUT" - constellation config generate ${{ inputs.cloudProvider }} ${kubernetesFlag} + constellation config generate ${{ inputs.cloudProvider }} ${kubernetesFlag} --attestation ${{ inputs.attestationVariant }} - name: Constellation iam create aws shell: bash diff --git a/.github/actions/deploy_logcollection/action.yml b/.github/actions/deploy_logcollection/action.yml index 8bafa9ed2..0f77eaae8 100644 --- a/.github/actions/deploy_logcollection/action.yml +++ b/.github/actions/deploy_logcollection/action.yml @@ -20,6 +20,9 @@ inputs: provider: description: "The CSP of the cluster." required: true + attestationVariant: + description: "Attestation variant of the cluster." + required: false isDebugImage: description: "Whether the cluster is a debug cluster / uses a debug image." required: true @@ -58,6 +61,7 @@ runs: --fields github.ref-stream="${{ inputs.refStream }}" \ --fields github.kubernetes-version="${{ inputs.kubernetesVersion }}" \ --fields github.cluster-creation="${{ inputs.clusterCreation }}" \ + --fields github.attestation-variant="${{ inputs.attestationVariant }}" \ --fields deployment-type="k8s" # Make sure that helm is installed diff --git a/.github/actions/e2e_benchmark/action.yml b/.github/actions/e2e_benchmark/action.yml index 09edeb89e..c680a7370 100644 --- a/.github/actions/e2e_benchmark/action.yml +++ b/.github/actions/e2e_benchmark/action.yml @@ -5,6 +5,10 @@ inputs: cloudProvider: description: "Which cloud provider to use." required: true + # TODO: Create different report depending on the attestation variant + attestationVariant: + description: "Which attestation variant to use." + required: true kubeconfig: description: "The kubeconfig of the cluster to test." required: true diff --git a/.github/actions/e2e_malicious_join/action.yml b/.github/actions/e2e_malicious_join/action.yml index 99142c5fd..9fd11cd9a 100644 --- a/.github/actions/e2e_malicious_join/action.yml +++ b/.github/actions/e2e_malicious_join/action.yml @@ -5,6 +5,9 @@ inputs: cloudProvider: description: "The cloud provider the test runs on." required: true + attestationVariant: + description: "The attestation variant used in the cluster." + required: true kubeconfig: description: "The kubeconfig file for the cluster." required: true @@ -34,7 +37,7 @@ runs: [ \"/malicious-join_bin\", \ \"--js-endpoint=join-service.kube-system:9090\", \ \"--csp=${{ inputs.cloudProvider }}\", \ - \"--variant=default\" ]" stamped_job.yaml + \"--variant=${{ inputs.attestationVariant }}\" ]" stamped_job.yaml kubectl create ns malicious-join kubectl apply -n malicious-join -f stamped_job.yaml diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml index 99452fa46..56ff18f3c 100644 --- a/.github/actions/e2e_test/action.yml +++ b/.github/actions/e2e_test/action.yml @@ -11,6 +11,9 @@ inputs: cloudProvider: description: "Which cloud provider to use." required: true + attestationVariant: + description: "Which attestation variant to use." + required: true machineType: description: "VM machine type. Make sure it matches selected cloud provider!" osImage: @@ -248,6 +251,7 @@ runs: uses: ./.github/actions/constellation_iam_create with: cloudProvider: ${{ inputs.cloudProvider }} + attestationVariant: ${{ inputs.attestationVariant }} namePrefix: ${{ steps.create-prefix.outputs.prefix }} awsZone: ${{ inputs.regionZone || 'us-east-2c' }} azureRegion: ${{ inputs.regionZone || steps.pick-az-region.outputs.region }} @@ -281,6 +285,7 @@ runs: uses: ./.github/actions/constellation_create with: cloudProvider: ${{ inputs.cloudProvider }} + attestationVariant: ${{ inputs.attestationVariant }} workerNodesCount: ${{ inputs.workerNodesCount }} controlNodesCount: ${{ inputs.controlNodesCount }} machineType: ${{ inputs.machineType }} @@ -311,6 +316,7 @@ runs: opensearchPwd: ${{ inputs.awsOpenSearchPwd }} test: ${{ inputs.test }} provider: ${{ inputs.cloudProvider }} + attestationVariant: ${{ inputs.attestationVariant }} isDebugImage: ${{ inputs.isDebugImage }} kubernetesVersion: ${{ inputs.kubernetesVersion }} refStream: ${{ inputs.refStream }} @@ -363,6 +369,7 @@ runs: uses: ./.github/actions/e2e_benchmark with: cloudProvider: ${{ inputs.cloudProvider }} + attestationVariant: ${{ inputs.attestationVariant }} kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }} awsOpenSearchDomain: ${{ inputs.awsOpenSearchDomain }} awsOpenSearchUsers: ${{ inputs.awsOpenSearchUsers }} @@ -373,7 +380,7 @@ runs: if: inputs.test == 'verify' uses: ./.github/actions/e2e_verify with: - cloudProvider: ${{ inputs.cloudProvider }} + attestationVariant: ${{ inputs.attestationVariant }} osImage: ${{ steps.constellation-create.outputs.osImageUsed }} kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }} cosignPassword: ${{ inputs.cosignPassword }} @@ -391,6 +398,7 @@ runs: uses: ./.github/actions/e2e_malicious_join with: cloudProvider: ${{ inputs.cloudProvider }} + attestationVariant: ${{ inputs.attestationVariant }} kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }} githubToken: ${{ inputs.githubToken }} diff --git a/.github/actions/e2e_verify/action.yml b/.github/actions/e2e_verify/action.yml index ae402fa26..481d7d0e1 100644 --- a/.github/actions/e2e_verify/action.yml +++ b/.github/actions/e2e_verify/action.yml @@ -5,8 +5,8 @@ inputs: osImage: description: "The OS image used in the cluster." required: true - cloudProvider: - description: "The cloud provider used in the cluster." + attestationVariant: + description: "The attestation variant used in the cluster." required: true kubeconfig: description: "The kubeconfig file for the cluster." @@ -67,7 +67,7 @@ runs: sleep 5 # TODO(v2.15): Remove workaround since we don't need to support v2.13 anymore - if [[ ${{ inputs.cloudProvider }} == "azure" ]] || { [[ ${{ inputs.cloudProvider }} == "aws" ]] && ! constellation version | grep -q "v2.13."; }; then + if [[ ${{ inputs.attestationVariant }} == "azure-sev-snp" ]] || { [[ ${{ inputs.attestationVariant }} == "aws-sev-snp" ]] && ! constellation version | grep -q "v2.13."; }; then echo "Extracting TCB versions for API update" constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "snp-report-${node}.json" else @@ -85,13 +85,13 @@ runs: aws-region: eu-central-1 - name: Upload extracted TCBs - if: github.ref_name == 'main' && (inputs.cloudProvider == 'azure' || inputs.cloudProvider == 'aws') + if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' || inputs.attestationVariant == 'aws-sev-snp') shell: bash env: COSIGN_PASSWORD: ${{ inputs.cosignPassword }} COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} run: | - if [[ ${{ inputs.cloudProvider }} == "aws" ]] && constellation version | grep -q "v2.13."; then + if [[ ${{ inputs.attestationVariant }} == "aws-sev-snp" ]] && constellation version | grep -q "v2.13."; then echo "Skipping TCB upload for AWS on CLI v2.13" exit 0 fi @@ -101,8 +101,11 @@ runs: exit 1 fi + attestationVariant=${{ inputs.attestationVariant }} + cloudProvider=${attestationVariant%%-*} + for file in "${reports[@]}"; do path=$(realpath "${file}") cat "${path}" - bazel run //internal/api/attestationconfigapi/cli -- upload ${{ inputs.cloudProvider }} snp-report "${path}" + bazel run //internal/api/attestationconfigapi/cli -- upload "${cloudProvider}" snp-report "${path}" done diff --git a/.github/actions/notify_e2e_failure/action.yml b/.github/actions/notify_e2e_failure/action.yml index 0c6a758a0..4543c6041 100644 --- a/.github/actions/notify_e2e_failure/action.yml +++ b/.github/actions/notify_e2e_failure/action.yml @@ -11,6 +11,9 @@ inputs: provider: description: "CSP" required: true + attestationVariant: + description: "Attestation variant" + required: false refStream: description: "RefStream of the run" required: false @@ -63,6 +66,7 @@ runs: (query:(match_phrase:(metadata.github.run-id:${{ github.run_id }}))), (query:(match_phrase:(metadata.github.ref-stream:${{ inputs.refStream }}))), (query:(match_phrase:(metadata.github.kubernetes-version:${{ inputs.kubernetesVersion }}))), + (query:(match_phrase:(metadata.github.attestation-variant:${{ inputs.attestationVariant }}))), (query:(match_phrase:(metadata.github.e2e-test-payload:'${{ steps.encode-uri-component.outputs.string }}'))) ))" | tr -d "\t\n ") @@ -92,7 +96,7 @@ runs: fields: | workflow: ${{ github.workflow }} kubernetesVersion: ${{ inputs.kubernetesVersion }} - cloudProvider: ${{ inputs.provider }} + attestationVariant: ${{ inputs.attestationVariant }} clusterCreation: ${{ inputs.clusterCreation }} test: ${{ inputs.test }} refStream: ${{ inputs.refStream }} diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml index 354f7220c..de23212dd 100644 --- a/.github/actions/self_managed_create/action.yml +++ b/.github/actions/self_managed_create/action.yml @@ -5,6 +5,9 @@ inputs: cloudProvider: description: "The cloud provider the test runs on." required: true + attestationVariant: + description: "The attestation variant to use." + required: true runs: using: "composite" @@ -81,7 +84,7 @@ runs: - name: Patch MAA Policy shell: bash working-directory: ${{ github.workspace }}/e2e-infra - if: inputs.cloudProvider == 'azure' + if: inputs.attestationVariant == 'azure-sev-snp' run: | constellation maa-patch $(terraform output attestation_url | jq -r) diff --git a/.github/workflows/e2e-test-daily.yml b/.github/workflows/e2e-test-daily.yml index 2a94d260f..5c3e877a3 100644 --- a/.github/workflows/e2e-test-daily.yml +++ b/.github/workflows/e2e-test-daily.yml @@ -46,7 +46,7 @@ jobs: max-parallel: 5 matrix: kubernetesVersion: ["1.28"] # should be default - provider: ["gcp", "azure", "aws"] + attestationVariant: ["gcp-sev-es", "azure-sev-snp", "azure-tdx", "aws-sev-snp"] refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"] test: ["sonobuoy full"] runs-on: ubuntu-22.04 @@ -63,13 +63,23 @@ jobs: fetch-depth: 0 ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} + - name: Split attestationVariant + id: split-attestationVariant + shell: bash + run: | + attestationVariant="${{ matrix.attestationVariant }}" + cloudProvider="${attestationVariant%%-*}" + + echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT" + - name: Run E2E test id: e2e_test uses: ./.github/actions/e2e_test with: workerNodesCount: "2" controlNodesCount: "3" - cloudProvider: ${{ matrix.provider }} + cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} + attestationVariant: ${{ matrix.attestationVariant }} osImage: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || needs.find-latest-image.outputs.image-main-debug }} isDebugImage: ${{ matrix.refStream == 'ref/main/stream/debug/?' }} cliVersion: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || '' }} @@ -99,7 +109,7 @@ jobs: with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} clusterCreation: "cli" - cloudProvider: ${{ matrix.provider }} + cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com" @@ -107,7 +117,7 @@ jobs: if: always() uses: ./.github/actions/constellation_iam_destroy with: - cloudProvider: ${{ matrix.provider }} + cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com" @@ -123,7 +133,7 @@ jobs: refStream: ${{ matrix.refStream }} test: ${{ matrix.test }} kubernetesVersion: ${{ matrix.kubernetesVersion }} - provider: ${{ matrix.provider }} + provider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} clusterCreation: "cli" e2e-mini: diff --git a/.github/workflows/e2e-test-internal-lb.yml b/.github/workflows/e2e-test-internal-lb.yml index ce9bd2bc3..6e87bd30d 100644 --- a/.github/workflows/e2e-test-internal-lb.yml +++ b/.github/workflows/e2e-test-internal-lb.yml @@ -7,14 +7,15 @@ on: description: "Number of nodes to use in the cluster. Given in format `:`." default: "3:2" type: string - cloudProvider: - description: "Which cloud provider to use." + attestationVariant: + description: "Which attestation variant to use." type: choice options: - - "gcp" - - "azure" - - "aws" - default: "azure" + - "gcp-sev-es" + - "azure-sev-snp" + - "azure-tdx" + - "aws-sev-snp" + default: "azure-sev-snp" required: true runner: description: "Architecture of the runner that executes the CLI" @@ -76,7 +77,7 @@ jobs: uses: ./.github/workflows/e2e-test.yml with: nodeCount: ${{ inputs.nodeCount }} - cloudProvider: ${{ inputs.cloudProvider }} + attestationVariant: ${{ inputs.attestationVariant }} runner: ${{ inputs.runner }} test: ${{ inputs.test }} kubernetesVersion: ${{ inputs.kubernetesVersion }} diff --git a/.github/workflows/e2e-test-marketplace-image.yml b/.github/workflows/e2e-test-marketplace-image.yml index 722c43114..c0f7f7bde 100644 --- a/.github/workflows/e2e-test-marketplace-image.yml +++ b/.github/workflows/e2e-test-marketplace-image.yml @@ -7,12 +7,16 @@ on: description: "Number of nodes to use in the cluster. Given in format `:`." default: "3:2" type: string - cloudProvider: - description: "Which cloud provider to use." + attestationVariant: + description: "Which attestation variant to use." type: choice options: - - "azure" - - "gcp" + - "gcp-sev-es" + - "azure-sev-snp" + - "azure-tdx" + # AWS not yet supported + # - "aws-sev-snp" + default: "azure-sev-snp" required: true runner: description: "Architecture of the runner that executes the CLI" @@ -74,7 +78,7 @@ jobs: uses: ./.github/workflows/e2e-test.yml with: nodeCount: ${{ inputs.nodeCount }} - cloudProvider: ${{ inputs.cloudProvider }} + attestationVariant: ${{ inputs.attestationVariant }} runner: ${{ inputs.runner }} test: ${{ inputs.test }} kubernetesVersion: ${{ inputs.kubernetesVersion }} diff --git a/.github/workflows/e2e-test-release.yml b/.github/workflows/e2e-test-release.yml index e1229b088..8a787df03 100644 --- a/.github/workflows/e2e-test-release.yml +++ b/.github/workflows/e2e-test-release.yml @@ -46,130 +46,165 @@ jobs: # sonobuoy full test on all k8s versions - test: "sonobuoy full" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "cli" - test: "sonobuoy full" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "cli" - test: "sonobuoy full" - provider: "aws" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.29" + runner: "ubuntu-22.04" + clusterCreation: "cli" + - test: "sonobuoy full" + attestationVariant: "aws-sev-snp" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "cli" - test: "sonobuoy full" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.28" runner: "ubuntu-22.04" clusterCreation: "cli" - test: "sonobuoy full" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.28" runner: "ubuntu-22.04" clusterCreation: "cli" - test: "sonobuoy full" - provider: "aws" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.28" + runner: "ubuntu-22.04" + clusterCreation: "cli" + - test: "sonobuoy full" + attestationVariant: "aws-sev-snp" kubernetes-version: "v1.28" runner: "ubuntu-22.04" clusterCreation: "cli" - test: "sonobuoy full" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.27" runner: "ubuntu-22.04" clusterCreation: "cli" - test: "sonobuoy full" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.27" runner: "ubuntu-22.04" clusterCreation: "cli" - test: "sonobuoy full" - provider: "aws" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.27" + runner: "ubuntu-22.04" + clusterCreation: "cli" + - test: "sonobuoy full" + attestationVariant: "aws-sev-snp" kubernetes-version: "v1.27" runner: "ubuntu-22.04" clusterCreation: "cli" # verify test on latest k8s version - test: "verify" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "cli" - test: "verify" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "cli" - test: "verify" - provider: "aws" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.29" + runner: "ubuntu-22.04" + clusterCreation: "cli" + - test: "verify" + attestationVariant: "aws-sev-snp" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "cli" # recover test on latest k8s version - test: "recover" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "cli" - test: "recover" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "cli" - test: "recover" - provider: "aws" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.29" + runner: "ubuntu-22.04" + clusterCreation: "cli" + - test: "recover" + attestationVariant: "aws-sev-snp" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "cli" # lb test on latest k8s version - test: "lb" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "cli" - test: "lb" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "cli" - test: "lb" - provider: "aws" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.29" + runner: "ubuntu-22.04" + clusterCreation: "cli" + - test: "lb" + attestationVariant: "aws-sev-snp" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "cli" # autoscaling test on latest k8s version - test: "autoscaling" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "cli" - test: "autoscaling" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "cli" - test: "autoscaling" - provider: "aws" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.29" + runner: "ubuntu-22.04" + clusterCreation: "cli" + - test: "autoscaling" + attestationVariant: "aws-sev-snp" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "cli" # perf-bench test on latest k8s version, not supported on AWS - test: "perf-bench" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "cli" - test: "perf-bench" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "cli" @@ -177,17 +212,22 @@ jobs: # self-managed infra test on latest k8s version # runs Sonobuoy full test - test: "sonobuoy full" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "self-managed" - test: "sonobuoy full" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "self-managed" - test: "sonobuoy full" - provider: "aws" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.29" + runner: "ubuntu-22.04" + clusterCreation: "self-managed" + - test: "sonobuoy full" + attestationVariant: "aws-sev-snp" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "self-managed" @@ -195,7 +235,7 @@ jobs: # s3proxy test on latest k8s version - test: "s3proxy" refStream: "ref/main/stream/debug/?" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" runner: "ubuntu-22.04" clusterCreation: "cli" @@ -206,11 +246,11 @@ jobs: # Skipping verify test on MacOS since the runner uses a different version of sed # TODO(3u13r): Update verify test to work on MacOS runners # - test: "verify" - # provider: "azure" + # attestationVariant: "azure-sev-snp" # kubernetes-version: "v1.29" # runner: "macos-12" - test: "recover" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" runner: "macos-12" clusterCreation: "cli" @@ -232,8 +272,17 @@ jobs: fetch-depth: 0 ref: ${{ inputs.ref || github.head_ref }} + - name: Split attestationVariant + id: split-attestationVariant + shell: bash + run: | + attestationVariant="${{ matrix.attestationVariant }}" + cloudProvider="${attestationVariant%%-*}" + + echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT" + - name: Set up gcloud CLI (macOS) - if: matrix.provider == 'gcp' && runner.os == 'macOS' + if: steps.split-attestationVariant.outputs.provider == 'gcp' && runner.os == 'macOS' uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1 - name: Run E2E test @@ -242,7 +291,8 @@ jobs: with: workerNodesCount: "2" controlNodesCount: "3" - cloudProvider: ${{ matrix.provider }} + cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} + attestationVariant: ${{ matrix.attestationVariant }} cliVersion: "" kubernetesVersion: ${{ matrix.kubernetes-version }} osImage: "" @@ -273,7 +323,7 @@ jobs: with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} clusterCreation: ${{ matrix.clusterCreation }} - cloudProvider: ${{ matrix.provider }} + cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com" @@ -281,7 +331,7 @@ jobs: if: always() uses: ./.github/actions/constellation_iam_destroy with: - cloudProvider: ${{ matrix.provider }} + cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com" @@ -291,7 +341,7 @@ jobs: max-parallel: 1 matrix: fromVersion: ["v2.14.0"] - cloudProvider: ["gcp", "azure", "aws"] + attestationVariant: ["gcp-sev-es", "azure-sev-snp", "aws-sev-snp"] # TODO(v2.15) Add azure-tdx to test matrix name: Run upgrade tests secrets: inherit permissions: @@ -303,6 +353,6 @@ jobs: with: fromVersion: ${{ matrix.fromVersion }} toImage: ${{ inputs.targetVersion }} - cloudProvider: ${{ matrix.cloudProvider }} + attestationVariant: ${{ matrix.attestationVariant }} nodeCount: '3:2' gitRef: ${{ inputs.ref || github.head_ref }} diff --git a/.github/workflows/e2e-test-self-managed.yml b/.github/workflows/e2e-test-self-managed.yml index c78b7eeb8..c0573fda8 100644 --- a/.github/workflows/e2e-test-self-managed.yml +++ b/.github/workflows/e2e-test-self-managed.yml @@ -7,14 +7,15 @@ on: description: "Number of nodes to use in the cluster. Given in format `:`." default: "3:2" type: string - cloudProvider: - description: "Which cloud provider to use." + attestationVariant: + description: "Which attestation variant to use." type: choice options: - - "gcp" - - "azure" - - "aws" - default: "azure" + - "gcp-sev-es" + - "azure-sev-snp" + - "azure-tdx" + - "aws-sev-snp" + default: "azure-sev-snp" required: true runner: description: "Architecture of the runner that executes the CLI" @@ -76,7 +77,7 @@ jobs: uses: ./.github/workflows/e2e-test.yml with: nodeCount: ${{ inputs.nodeCount }} - cloudProvider: ${{ inputs.cloudProvider }} + attestationVariant: ${{ inputs.attestationVariant }} runner: ${{ inputs.runner }} test: ${{ inputs.test }} kubernetesVersion: ${{ inputs.kubernetesVersion }} diff --git a/.github/workflows/e2e-test-terraform-provider.yml b/.github/workflows/e2e-test-terraform-provider.yml index 58ab5e525..f62b204d1 100644 --- a/.github/workflows/e2e-test-terraform-provider.yml +++ b/.github/workflows/e2e-test-terraform-provider.yml @@ -7,14 +7,15 @@ on: description: "Number of nodes to use in the cluster. Given in format `:`." default: "3:2" type: string - cloudProvider: - description: "Which cloud provider to use." + attestationVariant: + description: "Which attestation variant to use." type: choice options: - - "gcp" - - "azure" - - "aws" - default: "azure" + - "gcp-sev-es" + - "azure-sev-snp" + - "azure-tdx" + - "aws-sev-snp" + default: "azure-sev-snp" required: true runner: description: "Architecture of the runner that executes the CLI" @@ -76,7 +77,7 @@ jobs: uses: ./.github/workflows/e2e-test.yml with: nodeCount: ${{ inputs.nodeCount }} - cloudProvider: ${{ inputs.cloudProvider }} + attestationVariant: ${{ inputs.attestationVariant }} runner: ${{ inputs.runner }} test: ${{ inputs.test }} kubernetesVersion: ${{ inputs.kubernetesVersion }} diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml index fc5a0e2f8..38c8ce056 100644 --- a/.github/workflows/e2e-test-weekly.yml +++ b/.github/workflows/e2e-test-weekly.yml @@ -54,66 +54,86 @@ jobs: # sonobuoy full test on all k8s versions - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" - provider: "aws" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.29" + clusterCreation: "cli" + - test: "sonobuoy full" + refStream: "ref/main/stream/debug/?" + attestationVariant: "aws-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.28" clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.28" clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" - provider: "aws" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.28" + clusterCreation: "cli" + - test: "sonobuoy full" + refStream: "ref/main/stream/debug/?" + attestationVariant: "aws-sev-snp" kubernetes-version: "v1.28" clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.27" clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.27" clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" - provider: "aws" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.27" + clusterCreation: "cli" + - test: "sonobuoy full" + refStream: "ref/main/stream/debug/?" + attestationVariant: "aws-sev-snp" kubernetes-version: "v1.27" clusterCreation: "cli" # verify test on latest k8s version - test: "verify" refStream: "ref/main/stream/debug/?" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "verify" refStream: "ref/main/stream/debug/?" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" azureSNPEnforcementPolicy: "equal" # This run checks for unknown ID Key disgests. clusterCreation: "cli" - test: "verify" - provider: "aws" + refStream: "ref/main/stream/debug/?" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.29" + clusterCreation: "cli" + - test: "verify" + attestationVariant: "aws-sev-snp" refStream: "ref/main/stream/debug/?" kubernetes-version: "v1.29" clusterCreation: "cli" @@ -121,80 +141,106 @@ jobs: # recover test on latest k8s version - test: "recover" refStream: "ref/main/stream/debug/?" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "recover" refStream: "ref/main/stream/debug/?" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "recover" refStream: "ref/main/stream/debug/?" - provider: "aws" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.29" + clusterCreation: "cli" + - test: "recover" + refStream: "ref/main/stream/debug/?" + attestationVariant: "aws-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" # lb test on latest k8s version - test: "lb" refStream: "ref/main/stream/debug/?" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "lb" refStream: "ref/main/stream/debug/?" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "lb" refStream: "ref/main/stream/debug/?" - provider: "aws" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.29" + clusterCreation: "cli" + - test: "lb" + refStream: "ref/main/stream/debug/?" + attestationVariant: "aws-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" # autoscaling test on latest k8s version - test: "autoscaling" refStream: "ref/main/stream/debug/?" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "autoscaling" refStream: "ref/main/stream/debug/?" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "autoscaling" refStream: "ref/main/stream/debug/?" - provider: "aws" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.29" + clusterCreation: "cli" + - test: "autoscaling" + refStream: "ref/main/stream/debug/?" + attestationVariant: "aws-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" # perf-bench test on latest k8s version, not supported on AWS - test: "perf-bench" refStream: "ref/main/stream/debug/?" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "perf-bench" refStream: "ref/main/stream/debug/?" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" + # TODO: check what needs to be done for perf-bench on Azure TDX + #- test: "perf-bench" + # refStream: "ref/main/stream/debug/?" + # attestationVariant: "azure-tdx" + # kubernetes-version: "v1.29" + # clusterCreation: "cli" # malicious join test on latest k8s version - test: "malicious join" refStream: "ref/main/stream/debug/?" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "malicious join" refStream: "ref/main/stream/debug/?" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "malicious join" refStream: "ref/main/stream/debug/?" - provider: "aws" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.29" + clusterCreation: "cli" + - test: "malicious join" + refStream: "ref/main/stream/debug/?" + attestationVariant: "aws-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" @@ -202,40 +248,50 @@ jobs: # with Sonobuoy full - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" clusterCreation: "self-managed" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" clusterCreation: "self-managed" - test: "sonobuoy full" - provider: "aws" + refStream: "ref/main/stream/debug/?" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.29" + clusterCreation: "self-managed" + - test: "sonobuoy full" + attestationVariant: "aws-sev-snp" refStream: "ref/main/stream/debug/?" kubernetes-version: "v1.29" clusterCreation: "self-managed" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" clusterCreation: "terraform" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" clusterCreation: "terraform" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" - provider: "aws" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.29" + clusterCreation: "terraform" + - test: "sonobuoy full" + refStream: "ref/main/stream/debug/?" + attestationVariant: "aws-sev-snp" kubernetes-version: "v1.29" clusterCreation: "terraform" # s3proxy test on latest k8s version - test: "s3proxy" refStream: "ref/main/stream/debug/?" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" clusterCreation: "cli" @@ -246,17 +302,22 @@ jobs: # verify test on default k8s version - test: "verify" refStream: "ref/release/stream/stable/?" - provider: "gcp" + attestationVariant: "gcp-sev-es" kubernetes-version: "v1.28" clusterCreation: "cli" - test: "verify" refStream: "ref/release/stream/stable/?" - provider: "azure" + attestationVariant: "azure-sev-snp" kubernetes-version: "v1.28" clusterCreation: "cli" - test: "verify" refStream: "ref/release/stream/stable/?" - provider: "aws" + attestationVariant: "azure-tdx" + kubernetes-version: "v1.28" + clusterCreation: "cli" + - test: "verify" + refStream: "ref/release/stream/stable/?" + attestationVariant: "aws-sev-snp" kubernetes-version: "v1.28" clusterCreation: "cli" @@ -274,13 +335,23 @@ jobs: fetch-depth: 0 ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} + - name: Split attestationVariant + id: split-attestationVariant + shell: bash + run: | + attestationVariant="${{ matrix.attestationVariant }}" + cloudProvider="${attestationVariant%%-*}" + + echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT" + - name: Run E2E test id: e2e_test uses: ./.github/actions/e2e_test with: workerNodesCount: "2" controlNodesCount: "3" - cloudProvider: ${{ matrix.provider }} + cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} + attestationVariant: ${{ matrix.attestationVariant }} osImage: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || needs.find-latest-image.outputs.image-main-debug }} isDebugImage: ${{ matrix.refStream == 'ref/main/stream/debug/?' }} cliVersion: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || '' }} @@ -313,7 +384,7 @@ jobs: with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} clusterCreation: ${{ matrix.clusterCreation }} - cloudProvider: ${{ matrix.provider }} + cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com" @@ -321,7 +392,7 @@ jobs: if: always() uses: ./.github/actions/constellation_iam_destroy with: - cloudProvider: ${{ matrix.provider }} + cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com" @@ -337,7 +408,7 @@ jobs: refStream: ${{ matrix.refStream }} test: ${{ matrix.test }} kubernetesVersion: ${{ matrix.kubernetes-version }} - provider: ${{ matrix.provider }} + provider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} clusterCreation: ${{ matrix.clusterCreation }} e2e-upgrade: @@ -346,7 +417,7 @@ jobs: max-parallel: 1 matrix: fromVersion: ["v2.14.0"] - cloudProvider: ["gcp", "azure", "aws"] + attestationVariant: ["gcp-sev-es", "azure-sev-snp", "aws-sev-snp"] # TODO(v2.15) Add azure-tdx to test matrix name: Run upgrade tests secrets: inherit permissions: @@ -357,7 +428,7 @@ jobs: uses: ./.github/workflows/e2e-upgrade.yml with: fromVersion: ${{ matrix.fromVersion }} - cloudProvider: ${{ matrix.cloudProvider }} + attestationVariant: ${{ matrix.attestationVariant }} nodeCount: '3:2' scheduled: ${{ github.event_name == 'schedule' }} diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index 2218a3270..437ea8932 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -7,14 +7,15 @@ on: description: "Number of nodes to use in the cluster. Given in format `:`." default: "3:2" type: string - cloudProvider: - description: "Which cloud provider to use." + attestationVariant: + description: "Which attestation variant to use." type: choice options: - - "gcp" - - "azure" - - "aws" - default: "azure" + - "gcp-sev-es" + - "azure-sev-snp" + - "azure-tdx" + - "aws-sev-snp" + default: "azure-sev-snp" required: true runner: description: "Architecture of the runner that executes the CLI" @@ -71,8 +72,8 @@ on: description: "Number of nodes to use in the cluster. Given in format `:`." default: "3:2" type: string - cloudProvider: - description: "Which cloud provider to use." + attestationVariant: + description: "Which attestation variant to use." type: string required: true runner: @@ -124,8 +125,8 @@ on: type: boolean jobs: - split-nodeCount: - name: Split nodeCount + generate-input-parameters: + name: Generate input parameters runs-on: ubuntu-22.04 permissions: id-token: write @@ -133,6 +134,7 @@ jobs: outputs: workerNodes: ${{ steps.split-nodeCount.outputs.workerNodes }} controlPlaneNodes: ${{ steps.split-nodeCount.outputs.controlPlaneNodes }} + cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} steps: - name: Split nodeCount id: split-nodeCount @@ -150,6 +152,15 @@ jobs: echo "workerNodes=${workerNodes}" | tee -a "$GITHUB_OUTPUT" echo "controlPlaneNodes=${controlPlaneNodes}" | tee -a "$GITHUB_OUTPUT" + - name: Split attestationVariant + id: split-attestationVariant + shell: bash + run: | + attestationVariant="${{ inputs.attestationVariant }}" + cloudProvider="${attestationVariant%%-*}" + + echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT" + find-latest-image: name: Select image runs-on: ubuntu-22.04 @@ -188,7 +199,7 @@ jobs: checks: write contents: read packages: write - needs: [find-latest-image, split-nodeCount] + needs: [find-latest-image, generate-input-parameters] if: always() && !cancelled() steps: - name: Install basic tools (macOS) @@ -209,16 +220,17 @@ jobs: ref: ${{ inputs.git-ref }} - name: Set up gcloud CLI (macOS) - if: inputs.cloudProvider == 'gcp' && runner.os == 'macOS' + if: ${{ needs.generate-input-parameters.outputs.cloudProvider }} == 'gcp' && runner.os == 'macOS' uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1 - name: Run manual E2E test id: e2e_test uses: ./.github/actions/e2e_test with: - workerNodesCount: ${{ needs.split-nodeCount.outputs.workerNodes }} - controlNodesCount: ${{ needs.split-nodeCount.outputs.controlPlaneNodes }} - cloudProvider: ${{ inputs.cloudProvider }} + workerNodesCount: ${{ needs.generate-input-parameters.outputs.workerNodes }} + controlNodesCount: ${{ needs.generate-input-parameters.outputs.controlPlaneNodes }} + cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }} + attestationVariant: ${{ inputs.attestationVariant }} machineType: ${{ inputs.machineType }} regionZone: ${{ inputs.regionZone }} gcpProject: constellation-e2e @@ -254,7 +266,7 @@ jobs: with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} clusterCreation: ${{ inputs.clusterCreation }} - cloudProvider: ${{ inputs.cloudProvider }} + cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }} azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com" @@ -262,6 +274,6 @@ jobs: if: always() uses: ./.github/actions/constellation_iam_destroy with: - cloudProvider: ${{ inputs.cloudProvider }} + cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }} azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com" diff --git a/.github/workflows/e2e-upgrade.yml b/.github/workflows/e2e-upgrade.yml index e221067d3..10051f74d 100644 --- a/.github/workflows/e2e-upgrade.yml +++ b/.github/workflows/e2e-upgrade.yml @@ -3,14 +3,16 @@ name: e2e test upgrade on: workflow_dispatch: inputs: - cloudProvider: - description: "Which cloud provider to use." + attestationVariant: + description: "Which attestation variant to use." type: choice options: - - "gcp" - - "azure" - - "aws" - default: "azure" + - "gcp-sev-es" + - "azure-sev-snp" + - "azure-tdx" + - "aws-sev-snp" + default: "azure-sev-snp" + required: true nodeCount: description: "Number of nodes to use in the cluster. Given in format `:`." default: "3:2" @@ -45,8 +47,8 @@ on: type: string workflow_call: inputs: - cloudProvider: - description: "Which cloud provider to use." + attestationVariant: + description: "Which attestation variant to use." type: string required: true nodeCount: @@ -85,8 +87,8 @@ on: required: false jobs: - split-nodeCount: - name: Split nodeCount + generate-input-parameters: + name: Generate input parameters runs-on: ubuntu-22.04 permissions: id-token: write @@ -94,6 +96,7 @@ jobs: outputs: workerNodes: ${{ steps.split-nodeCount.outputs.workerNodes }} controlPlaneNodes: ${{ steps.split-nodeCount.outputs.controlPlaneNodes }} + cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} steps: - name: Split nodeCount id: split-nodeCount @@ -111,6 +114,15 @@ jobs: echo "workerNodes=${workerNodes}" | tee -a "$GITHUB_OUTPUT" echo "controlPlaneNodes=${controlPlaneNodes}" | tee -a "$GITHUB_OUTPUT" + - name: Split attestationVariant + id: split-attestationVariant + shell: bash + run: | + attestationVariant="${{ inputs.attestationVariant }}" + cloudProvider="${attestationVariant%%-*}" + + echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT" + build-target-cli: name: Build upgrade target version CLI runs-on: ubuntu-22.04 @@ -173,7 +185,7 @@ jobs: checks: write contents: read packages: write - needs: [split-nodeCount] + needs: [generate-input-parameters] outputs: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} steps: @@ -200,9 +212,10 @@ jobs: id: e2e_test uses: ./.github/actions/e2e_test with: - workerNodesCount: ${{ needs.split-nodeCount.outputs.workerNodes }} - controlNodesCount: ${{ needs.split-nodeCount.outputs.controlPlaneNodes }} - cloudProvider: ${{ inputs.cloudProvider }} + workerNodesCount: ${{ needs.generate-input-parameters.outputs.workerNodes }} + controlNodesCount: ${{ needs.generate-input-parameters.outputs.controlPlaneNodes }} + cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }} + attestationVariant: ${{ inputs.attestationVariant }} osImage: ${{ inputs.fromVersion }} isDebugImage: "false" cliVersion: ${{ inputs.fromVersion }} @@ -243,7 +256,7 @@ jobs: encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Upload SA Key - if: always() && inputs.cloudProvider == 'gcp' + if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'gcp' uses: ./.github/actions/artifact_upload with: name: sa-key @@ -260,7 +273,7 @@ jobs: contents: read packages: write needs: - - split-nodeCount + - generate-input-parameters - build-target-cli - create-cluster steps: @@ -300,13 +313,13 @@ jobs: stream: nightly - name: Login to GCP (IAM service account) - if: inputs.cloudProvider == 'gcp' + if: needs.generate-input-parameters.outputs.cloudProvider == 'gcp' uses: ./.github/actions/login_gcp with: service_account: "iam-e2e@constellation-e2e.iam.gserviceaccount.com" - name: Login to AWS (IAM role) - if: inputs.cloudProvider == 'aws' + if: needs.generate-input-parameters.outputs.cloudProvider == 'aws' uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM @@ -315,7 +328,7 @@ jobs: role-duration-seconds: 21600 - name: Login to Azure (IAM service principal) - if: inputs.cloudProvider == 'azure' + if: needs.generate-input-parameters.outputs.cloudProvider == 'azure' uses: ./.github/actions/login_azure with: azure_credentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} @@ -333,7 +346,7 @@ jobs: encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Download SA Key - if: inputs.cloudProvider == 'gcp' + if: needs.generate-input-parameters.outputs.cloudProvider == 'gcp' uses: ./.github/actions/artifact_download with: name: sa-key @@ -356,13 +369,13 @@ jobs: uses: ./.github/actions/constellation_iam_upgrade - name: Login to GCP (Cluster service account) - if: always() && inputs.cloudProvider == 'gcp' + if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'gcp' uses: ./.github/actions/login_gcp with: service_account: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com" - name: Login to AWS (Cluster role) - if: always() && inputs.cloudProvider == 'aws' + if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'aws' uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster @@ -371,7 +384,7 @@ jobs: role-duration-seconds: 21600 - name: Login to Azure (Cluster service principal) - if: always() && inputs.cloudProvider == 'azure' + if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'azure' uses: ./.github/actions/login_azure with: azure_credentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} @@ -382,8 +395,8 @@ jobs: IMAGE: ${{ inputs.toImage && inputs.toImage || steps.find-image.outputs.output }} KUBERNETES: ${{ inputs.toKubernetes }} MICROSERVICES: ${{ inputs.toMicroservices }} - WORKERNODES: ${{ needs.split-nodeCount.outputs.workerNodes }} - CONTROLNODES: ${{ needs.split-nodeCount.outputs.controlPlaneNodes }} + WORKERNODES: ${{ needs.generate-input-parameters.outputs.workerNodes }} + CONTROLNODES: ${{ needs.generate-input-parameters.outputs.controlPlaneNodes }} run: | echo "Image target: $IMAGE" echo "K8s target: $KUBERNETES" @@ -427,7 +440,7 @@ jobs: contents: read packages: write if: always() - needs: [create-cluster, e2e-upgrade] + needs: [generate-input-parameters, create-cluster, e2e-upgrade] steps: - name: Checkout if: inputs.gitRef == 'head' @@ -496,7 +509,7 @@ jobs: with: clusterCreation: "cli" kubeconfig: ${{ needs.create-cluster.outputs.kubeconfig }} - cloudProvider: ${{ inputs.cloudProvider }} + cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }} azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com" @@ -504,7 +517,7 @@ jobs: if: always() uses: ./.github/actions/constellation_iam_destroy with: - cloudProvider: ${{ inputs.cloudProvider }} + cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }} azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com" @@ -520,4 +533,4 @@ jobs: with: projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }} test: "upgrade" - provider: ${{ inputs.cloudProvider }} + provider: ${{ needs.generate-input-parameters.outputs.cloudProvider }} diff --git a/debugd/internal/debugd/logcollector/fields.go b/debugd/internal/debugd/logcollector/fields.go index 08c3776d7..1de7de844 100644 --- a/debugd/internal/debugd/logcollector/fields.go +++ b/debugd/internal/debugd/logcollector/fields.go @@ -32,11 +32,12 @@ var ( // cloud provider used in e2e test. If deployed with debugd, this is a duplicate as its also // available in the metadata. If deployed through K8s in e2e tests with a stable image, this // is where the cloud provider is saved in. - "github.e2e-test-provider": {}, - "github.ref-stream": {}, - "github.kubernetes-version": {}, - "github.cluster-creation": {}, - "deployment-type": {}, // deployment type, e.g. "debugd", "k8s" + "github.e2e-test-provider": {}, + "github.ref-stream": {}, + "github.kubernetes-version": {}, + "github.cluster-creation": {}, + "github.attestation-variant": {}, + "deployment-type": {}, // deployment type, e.g. "debugd", "k8s" } )