Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-02-02 10:35:08 -05:00
Code Issues Packages Projects Releases Wiki Activity

Allow starting e2e tests based on attestation variant instead of csp

Browse Source 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2024-01-25 15:32:19 +01:00 committed by Malte Poll
parent 597a923a7f
commit 65d28f913f
20 changed files with 377 additions and 177 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/actions/cdbg_deploy/action.yml vendored
View File

@ -14,6 +14,9 @@ inputs:
cloudProvider:
description: "The cloud provider to use."
required: true
attestationVariant:
description: "Attestation variant of the cluster."
required: false
kubernetesVersion:
description: "Kubernetes version to create the cluster from."
required: true
@ -98,6 +101,7 @@ runs:
--info logcollect.github.ref-stream="${{ inputs.refStream }}" \
--info logcollect.github.kubernetes-version="${{ inputs.kubernetesVersion }}" \
--info logcollect.github.cluster-creation="${{ inputs.clusterCreation }}" \
--info logcollect.github.attestation-variant="${{ inputs.attestationVariant }}" \
--info logcollect.deployment-type="debugd" \
--verbosity=-1 \
--force

14
.github/actions/constellation_create/action.yml vendored
View File

@ -11,6 +11,9 @@ inputs:
cloudProvider:
description: "Either 'gcp', 'aws' or 'azure'."
required: true
attestationVariant:
description: "Attestation variant to use."
required: true
machineType:
description: "Machine type of VM to spawn."
required: false
@ -83,7 +86,7 @@ runs:
if: inputs.azureSNPEnforcementPolicy != ''
shell: bash
run: |
if [[ ${{ inputs.cloudProvider }} != 'azure' ]]; then
if [[ ${{ inputs.attestationVariant }} != 'azure-sev-snp' ]]; then
echo "SNP enforcement policy is only supported for Azure"
exit 1
fi
@ -161,24 +164,21 @@ runs:
if : inputs.clusterCreation != 'self-managed'
shell: bash
run: |
# TODO(v2.14): Remove workaround for CLIs not supporting apply command
cmd='apply --skip-phases=init,attestationconfig,certsans,helm,image,k8s'
if constellation --help | grep -q create; then
cmd=create
fi
constellation $cmd -y --debug --tf-log=DEBUG
constellation apply --skip-phases=init,attestationconfig,certsans,helm,image,k8s -y --debug --tf-log=DEBUG
- name: Constellation create (self-managed)
if : inputs.clusterCreation == 'self-managed'
uses: ./.github/actions/self_managed_create
with:
cloudProvider: ${{ inputs.cloudProvider }}
attestationVariant: ${{ inputs.attestationVariant }}
- name: Cdbg deploy
if: inputs.isDebugImage == 'true'
uses: ./.github/actions/cdbg_deploy
with:
cloudProvider: ${{ inputs.cloudProvider }}
attestationVariant: ${{ inputs.attestationVariant }}
test: ${{ inputs.test }}
azureClusterCreateCredentials: ${{ inputs.azureClusterCreateCredentials }}
azureIAMCreateCredentials: ${{ inputs.azureIAMCreateCredentials }}

5
.github/actions/constellation_iam_create/action.yml vendored
View File

@ -5,6 +5,9 @@ inputs:
cloudProvider:
description: "Either 'aws', 'azure' or 'gcp'."
required: true
attestationVariant:
description: "The attestation variant to use."
required: true
kubernetesVersion:
description: "Kubernetes version to create the cluster from."
required: false
@ -46,7 +49,7 @@ runs:
fi
echo "flag=--update-config" | tee -a "$GITHUB_OUTPUT"
constellation config generate ${{ inputs.cloudProvider }} ${kubernetesFlag}
constellation config generate ${{ inputs.cloudProvider }} ${kubernetesFlag} --attestation ${{ inputs.attestationVariant }}
- name: Constellation iam create aws
shell: bash

4
.github/actions/deploy_logcollection/action.yml vendored
View File

@ -20,6 +20,9 @@ inputs:
provider:
description: "The CSP of the cluster."
required: true
attestationVariant:
description: "Attestation variant of the cluster."
required: false
isDebugImage:
description: "Whether the cluster is a debug cluster / uses a debug image."
required: true
@ -58,6 +61,7 @@ runs:
--fields github.ref-stream="${{ inputs.refStream }}" \
--fields github.kubernetes-version="${{ inputs.kubernetesVersion }}" \
--fields github.cluster-creation="${{ inputs.clusterCreation }}" \
--fields github.attestation-variant="${{ inputs.attestationVariant }}" \
--fields deployment-type="k8s"
# Make sure that helm is installed

4
.github/actions/e2e_benchmark/action.yml vendored
View File

@ -5,6 +5,10 @@ inputs:
cloudProvider:
description: "Which cloud provider to use."
required: true
# TODO: Create different report depending on the attestation variant
attestationVariant:
description: "Which attestation variant to use."
required: true
kubeconfig:
description: "The kubeconfig of the cluster to test."
required: true

5
.github/actions/e2e_malicious_join/action.yml vendored
View File

@ -5,6 +5,9 @@ inputs:
cloudProvider:
description: "The cloud provider the test runs on."
required: true
attestationVariant:
description: "The attestation variant used in the cluster."
required: true
kubeconfig:
description: "The kubeconfig file for the cluster."
required: true
@ -34,7 +37,7 @@ runs:
[ \"/malicious-join_bin\", \
\"--js-endpoint=join-service.kube-system:9090\", \
\"--csp=${{ inputs.cloudProvider }}\", \
\"--variant=default\" ]" stamped_job.yaml
\"--variant=${{ inputs.attestationVariant }}\" ]" stamped_job.yaml
kubectl create ns malicious-join
kubectl apply -n malicious-join -f stamped_job.yaml

10
.github/actions/e2e_test/action.yml vendored
View File

@ -11,6 +11,9 @@ inputs:
cloudProvider:
description: "Which cloud provider to use."
required: true
attestationVariant:
description: "Which attestation variant to use."
required: true
machineType:
description: "VM machine type. Make sure it matches selected cloud provider!"
osImage:
@ -248,6 +251,7 @@ runs:
uses: ./.github/actions/constellation_iam_create
with:
cloudProvider: ${{ inputs.cloudProvider }}
attestationVariant: ${{ inputs.attestationVariant }}
namePrefix: ${{ steps.create-prefix.outputs.prefix }}
awsZone: ${{ inputs.regionZone || 'us-east-2c' }}
azureRegion: ${{ inputs.regionZone || steps.pick-az-region.outputs.region }}
@ -281,6 +285,7 @@ runs:
uses: ./.github/actions/constellation_create
with:
cloudProvider: ${{ inputs.cloudProvider }}
attestationVariant: ${{ inputs.attestationVariant }}
workerNodesCount: ${{ inputs.workerNodesCount }}
controlNodesCount: ${{ inputs.controlNodesCount }}
machineType: ${{ inputs.machineType }}
@ -311,6 +316,7 @@ runs:
opensearchPwd: ${{ inputs.awsOpenSearchPwd }}
test: ${{ inputs.test }}
provider: ${{ inputs.cloudProvider }}
attestationVariant: ${{ inputs.attestationVariant }}
isDebugImage: ${{ inputs.isDebugImage }}
kubernetesVersion: ${{ inputs.kubernetesVersion }}
refStream: ${{ inputs.refStream }}
@ -363,6 +369,7 @@ runs:
uses: ./.github/actions/e2e_benchmark
with:
cloudProvider: ${{ inputs.cloudProvider }}
attestationVariant: ${{ inputs.attestationVariant }}
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
awsOpenSearchDomain: ${{ inputs.awsOpenSearchDomain }}
awsOpenSearchUsers: ${{ inputs.awsOpenSearchUsers }}
@ -373,7 +380,7 @@ runs:
if: inputs.test == 'verify'
uses: ./.github/actions/e2e_verify
with:
cloudProvider: ${{ inputs.cloudProvider }}
attestationVariant: ${{ inputs.attestationVariant }}
osImage: ${{ steps.constellation-create.outputs.osImageUsed }}
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
cosignPassword: ${{ inputs.cosignPassword }}
@ -391,6 +398,7 @@ runs:
uses: ./.github/actions/e2e_malicious_join
with:
cloudProvider: ${{ inputs.cloudProvider }}
attestationVariant: ${{ inputs.attestationVariant }}
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
githubToken: ${{ inputs.githubToken }}

15
.github/actions/e2e_verify/action.yml vendored
View File

@ -5,8 +5,8 @@ inputs:
osImage:
description: "The OS image used in the cluster."
required: true
cloudProvider:
description: "The cloud provider used in the cluster."
attestationVariant:
description: "The attestation variant used in the cluster."
required: true
kubeconfig:
description: "The kubeconfig file for the cluster."
@ -67,7 +67,7 @@ runs:
sleep 5
# TODO(v2.15): Remove workaround since we don't need to support v2.13 anymore
if [[ ${{ inputs.cloudProvider }} == "azure" ]] || { [[ ${{ inputs.cloudProvider }} == "aws" ]] && ! constellation version | grep -q "v2.13."; }; then
if [[ ${{ inputs.attestationVariant }} == "azure-sev-snp" ]] || { [[ ${{ inputs.attestationVariant }} == "aws-sev-snp" ]] && ! constellation version | grep -q "v2.13."; }; then
echo "Extracting TCB versions for API update"
constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "snp-report-${node}.json"
else
@ -85,13 +85,13 @@ runs:
aws-region: eu-central-1
- name: Upload extracted TCBs
if: github.ref_name == 'main' && (inputs.cloudProvider == 'azure' || inputs.cloudProvider == 'aws')
if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' || inputs.attestationVariant == 'aws-sev-snp')
shell: bash
env:
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
run: |
if [[ ${{ inputs.cloudProvider }} == "aws" ]] && constellation version | grep -q "v2.13."; then
if [[ ${{ inputs.attestationVariant }} == "aws-sev-snp" ]] && constellation version | grep -q "v2.13."; then
echo "Skipping TCB upload for AWS on CLI v2.13"
exit 0
fi
@ -101,8 +101,11 @@ runs:
exit 1
fi
attestationVariant=${{ inputs.attestationVariant }}
cloudProvider=${attestationVariant%%-*}
for file in "${reports[@]}"; do
path=$(realpath "${file}")
cat "${path}"
bazel run //internal/api/attestationconfigapi/cli -- upload ${{ inputs.cloudProvider }} snp-report "${path}"
bazel run //internal/api/attestationconfigapi/cli -- upload "${cloudProvider}" snp-report "${path}"
done

6
.github/actions/notify_e2e_failure/action.yml vendored
View File

@ -11,6 +11,9 @@ inputs:
provider:
description: "CSP"
required: true
attestationVariant:
description: "Attestation variant"
required: false
refStream:
description: "RefStream of the run"
required: false
@ -63,6 +66,7 @@ runs:
(query:(match_phrase:(metadata.github.run-id:${{ github.run_id }}))),
(query:(match_phrase:(metadata.github.ref-stream:${{ inputs.refStream }}))),
(query:(match_phrase:(metadata.github.kubernetes-version:${{ inputs.kubernetesVersion }}))),
(query:(match_phrase:(metadata.github.attestation-variant:${{ inputs.attestationVariant }}))),
(query:(match_phrase:(metadata.github.e2e-test-payload:'${{ steps.encode-uri-component.outputs.string }}')))
))" | tr -d "\t\n ")
@ -92,7 +96,7 @@ runs:
fields: |
workflow: ${{ github.workflow }}
kubernetesVersion: ${{ inputs.kubernetesVersion }}
cloudProvider: ${{ inputs.provider }}
attestationVariant: ${{ inputs.attestationVariant }}
clusterCreation: ${{ inputs.clusterCreation }}
test: ${{ inputs.test }}
refStream: ${{ inputs.refStream }}

5
.github/actions/self_managed_create/action.yml vendored
View File

@ -5,6 +5,9 @@ inputs:
cloudProvider:
description: "The cloud provider the test runs on."
required: true
attestationVariant:
description: "The attestation variant to use."
required: true
runs:
using: "composite"
@ -81,7 +84,7 @@ runs:
- name: Patch MAA Policy
shell: bash
working-directory: ${{ github.workspace }}/e2e-infra
if: inputs.cloudProvider == 'azure'
if: inputs.attestationVariant == 'azure-sev-snp'
run: |
constellation maa-patch $(terraform output attestation_url | jq -r)

20
.github/workflows/e2e-test-daily.yml vendored
View File

@ -46,7 +46,7 @@ jobs:
max-parallel: 5
matrix:
kubernetesVersion: ["1.28"] # should be default
provider: ["gcp", "azure", "aws"]
attestationVariant: ["gcp-sev-es", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"]
test: ["sonobuoy full"]
runs-on: ubuntu-22.04
@ -63,13 +63,23 @@ jobs:
fetch-depth: 0
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Split attestationVariant
id: split-attestationVariant
shell: bash
run: |
attestationVariant="${{ matrix.attestationVariant }}"
cloudProvider="${attestationVariant%%-*}"
echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"
- name: Run E2E test
id: e2e_test
uses: ./.github/actions/e2e_test
with:
workerNodesCount: "2"
controlNodesCount: "3"
cloudProvider: ${{ matrix.provider }}
cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
attestationVariant: ${{ matrix.attestationVariant }}
osImage: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || needs.find-latest-image.outputs.image-main-debug }}
isDebugImage: ${{ matrix.refStream == 'ref/main/stream/debug/?' }}
cliVersion: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || '' }}
@ -99,7 +109,7 @@ jobs:
with:
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
clusterCreation: "cli"
cloudProvider: ${{ matrix.provider }}
cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
@ -107,7 +117,7 @@ jobs:
if: always()
uses: ./.github/actions/constellation_iam_destroy
with:
cloudProvider: ${{ matrix.provider }}
cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
@ -123,7 +133,7 @@ jobs:
refStream: ${{ matrix.refStream }}
test: ${{ matrix.test }}
kubernetesVersion: ${{ matrix.kubernetesVersion }}
provider: ${{ matrix.provider }}
provider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
clusterCreation: "cli"
e2e-mini:

15
.github/workflows/e2e-test-internal-lb.yml vendored
View File

@ -7,14 +7,15 @@ on:
description: "Number of nodes to use in the cluster. Given in format `<control-plane nodes>:<worker nodes>`."
default: "3:2"
type: string
cloudProvider:
description: "Which cloud provider to use."
attestationVariant:
description: "Which attestation variant to use."
type: choice
options:
- "gcp"
- "azure"
- "aws"
default: "azure"
- "gcp-sev-es"
- "azure-sev-snp"
- "azure-tdx"
- "aws-sev-snp"
default: "azure-sev-snp"
required: true
runner:
description: "Architecture of the runner that executes the CLI"
@ -76,7 +77,7 @@ jobs:
uses: ./.github/workflows/e2e-test.yml
with:
nodeCount: ${{ inputs.nodeCount }}
cloudProvider: ${{ inputs.cloudProvider }}
attestationVariant: ${{ inputs.attestationVariant }}
runner: ${{ inputs.runner }}
test: ${{ inputs.test }}
kubernetesVersion: ${{ inputs.kubernetesVersion }}

14
.github/workflows/e2e-test-marketplace-image.yml vendored
View File

@ -7,12 +7,16 @@ on:
description: "Number of nodes to use in the cluster. Given in format `<control-plane nodes>:<worker nodes>`."
default: "3:2"
type: string
cloudProvider:
description: "Which cloud provider to use."
attestationVariant:
description: "Which attestation variant to use."
type: choice
options:
- "azure"
- "gcp"
- "gcp-sev-es"
- "azure-sev-snp"
- "azure-tdx"
# AWS not yet supported
# - "aws-sev-snp"
default: "azure-sev-snp"
required: true
runner:
description: "Architecture of the runner that executes the CLI"
@ -74,7 +78,7 @@ jobs:
uses: ./.github/workflows/e2e-test.yml
with:
nodeCount: ${{ inputs.nodeCount }}
cloudProvider: ${{ inputs.cloudProvider }}
attestationVariant: ${{ inputs.attestationVariant }}
runner: ${{ inputs.runner }}
test: ${{ inputs.test }}
kubernetesVersion: ${{ inputs.kubernetesVersion }}

120
.github/workflows/e2e-test-release.yml vendored
View File

@ -46,130 +46,165 @@ jobs:
# sonobuoy full test on all k8s versions
- test: "sonobuoy full"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
provider: "aws"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
provider: "aws"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.27"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.27"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
provider: "aws"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.27"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.27"
runner: "ubuntu-22.04"
clusterCreation: "cli"
# verify test on latest k8s version
- test: "verify"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "verify"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "verify"
provider: "aws"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "verify"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
# recover test on latest k8s version
- test: "recover"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "recover"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "recover"
provider: "aws"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "recover"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
# lb test on latest k8s version
- test: "lb"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "lb"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "lb"
provider: "aws"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "lb"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
# autoscaling test on latest k8s version
- test: "autoscaling"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "autoscaling"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "autoscaling"
provider: "aws"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "autoscaling"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
# perf-bench test on latest k8s version, not supported on AWS
- test: "perf-bench"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "perf-bench"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
@ -177,17 +212,22 @@ jobs:
# self-managed infra test on latest k8s version
# runs Sonobuoy full test
- test: "sonobuoy full"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "self-managed"
- test: "sonobuoy full"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "self-managed"
- test: "sonobuoy full"
provider: "aws"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "self-managed"
- test: "sonobuoy full"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "self-managed"
@ -195,7 +235,7 @@ jobs:
# s3proxy test on latest k8s version
- test: "s3proxy"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "cli"
@ -206,11 +246,11 @@ jobs:
# Skipping verify test on MacOS since the runner uses a different version of sed
# TODO(3u13r): Update verify test to work on MacOS runners
# - test: "verify"
# provider: "azure"
# attestationVariant: "azure-sev-snp"
# kubernetes-version: "v1.29"
# runner: "macos-12"
- test: "recover"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
runner: "macos-12"
clusterCreation: "cli"
@ -232,8 +272,17 @@ jobs:
fetch-depth: 0
ref: ${{ inputs.ref || github.head_ref }}
- name: Split attestationVariant
id: split-attestationVariant
shell: bash
run: |
attestationVariant="${{ matrix.attestationVariant }}"
cloudProvider="${attestationVariant%%-*}"
echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"
- name: Set up gcloud CLI (macOS)
if: matrix.provider == 'gcp' && runner.os == 'macOS'
if: steps.split-attestationVariant.outputs.provider == 'gcp' && runner.os == 'macOS'
uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
- name: Run E2E test
@ -242,7 +291,8 @@ jobs:
with:
workerNodesCount: "2"
controlNodesCount: "3"
cloudProvider: ${{ matrix.provider }}
cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
attestationVariant: ${{ matrix.attestationVariant }}
cliVersion: ""
kubernetesVersion: ${{ matrix.kubernetes-version }}
osImage: ""
@ -273,7 +323,7 @@ jobs:
with:
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
clusterCreation: ${{ matrix.clusterCreation }}
cloudProvider: ${{ matrix.provider }}
cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
@ -281,7 +331,7 @@ jobs:
if: always()
uses: ./.github/actions/constellation_iam_destroy
with:
cloudProvider: ${{ matrix.provider }}
cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
@ -291,7 +341,7 @@ jobs:
max-parallel: 1
matrix:
fromVersion: ["v2.14.0"]
cloudProvider: ["gcp", "azure", "aws"]
attestationVariant: ["gcp-sev-es", "azure-sev-snp", "aws-sev-snp"] # TODO(v2.15) Add azure-tdx to test matrix
name: Run upgrade tests
secrets: inherit
permissions:
@ -303,6 +353,6 @@ jobs:
with:
fromVersion: ${{ matrix.fromVersion }}
toImage: ${{ inputs.targetVersion }}
cloudProvider: ${{ matrix.cloudProvider }}
attestationVariant: ${{ matrix.attestationVariant }}
nodeCount: '3:2'
gitRef: ${{ inputs.ref || github.head_ref }}

15
.github/workflows/e2e-test-self-managed.yml vendored
View File

@ -7,14 +7,15 @@ on:
description: "Number of nodes to use in the cluster. Given in format `<control-plane nodes>:<worker nodes>`."
default: "3:2"
type: string
cloudProvider:
description: "Which cloud provider to use."
attestationVariant:
description: "Which attestation variant to use."
type: choice
options:
- "gcp"
- "azure"
- "aws"
default: "azure"
- "gcp-sev-es"
- "azure-sev-snp"
- "azure-tdx"
- "aws-sev-snp"
default: "azure-sev-snp"
required: true
runner:
description: "Architecture of the runner that executes the CLI"
@ -76,7 +77,7 @@ jobs:
uses: ./.github/workflows/e2e-test.yml
with:
nodeCount: ${{ inputs.nodeCount }}
cloudProvider: ${{ inputs.cloudProvider }}
attestationVariant: ${{ inputs.attestationVariant }}
runner: ${{ inputs.runner }}
test: ${{ inputs.test }}
kubernetesVersion: ${{ inputs.kubernetesVersion }}

15
.github/workflows/e2e-test-terraform-provider.yml vendored
View File

@ -7,14 +7,15 @@ on:
description: "Number of nodes to use in the cluster. Given in format `<control-plane nodes>:<worker nodes>`."
default: "3:2"
type: string
cloudProvider:
description: "Which cloud provider to use."
attestationVariant:
description: "Which attestation variant to use."
type: choice
options:
- "gcp"
- "azure"
- "aws"
default: "azure"
- "gcp-sev-es"
- "azure-sev-snp"
- "azure-tdx"
- "aws-sev-snp"
default: "azure-sev-snp"
required: true
runner:
description: "Architecture of the runner that executes the CLI"
@ -76,7 +77,7 @@ jobs:
uses: ./.github/workflows/e2e-test.yml
with:
nodeCount: ${{ inputs.nodeCount }}
cloudProvider: ${{ inputs.cloudProvider }}
attestationVariant: ${{ inputs.attestationVariant }}
runner: ${{ inputs.runner }}
test: ${{ inputs.test }}
kubernetesVersion: ${{ inputs.kubernetesVersion }}

155
.github/workflows/e2e-test-weekly.yml vendored
View File

@ -54,66 +54,86 @@ jobs:
# sonobuoy full test on all k8s versions
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "aws"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "aws"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.27"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.27"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "aws"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.27"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.27"
clusterCreation: "cli"
# verify test on latest k8s version
- test: "verify"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "verify"
refStream: "ref/main/stream/debug/?"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
azureSNPEnforcementPolicy: "equal" # This run checks for unknown ID Key disgests.
clusterCreation: "cli"
- test: "verify"
provider: "aws"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "verify"
attestationVariant: "aws-sev-snp"
refStream: "ref/main/stream/debug/?"
kubernetes-version: "v1.29"
clusterCreation: "cli"
@ -121,80 +141,106 @@ jobs:
# recover test on latest k8s version
- test: "recover"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "recover"
refStream: "ref/main/stream/debug/?"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "recover"
refStream: "ref/main/stream/debug/?"
provider: "aws"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "recover"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
# lb test on latest k8s version
- test: "lb"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "lb"
refStream: "ref/main/stream/debug/?"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "lb"
refStream: "ref/main/stream/debug/?"
provider: "aws"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "lb"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
# autoscaling test on latest k8s version
- test: "autoscaling"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "autoscaling"
refStream: "ref/main/stream/debug/?"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "autoscaling"
refStream: "ref/main/stream/debug/?"
provider: "aws"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "autoscaling"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
# perf-bench test on latest k8s version, not supported on AWS
- test: "perf-bench"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "perf-bench"
refStream: "ref/main/stream/debug/?"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
# TODO: check what needs to be done for perf-bench on Azure TDX
#- test: "perf-bench"
# refStream: "ref/main/stream/debug/?"
# attestationVariant: "azure-tdx"
# kubernetes-version: "v1.29"
# clusterCreation: "cli"
# malicious join test on latest k8s version
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
provider: "aws"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
@ -202,40 +248,50 @@ jobs:
# with Sonobuoy full
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "self-managed"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "self-managed"
- test: "sonobuoy full"
provider: "aws"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
clusterCreation: "self-managed"
- test: "sonobuoy full"
attestationVariant: "aws-sev-snp"
refStream: "ref/main/stream/debug/?"
kubernetes-version: "v1.29"
clusterCreation: "self-managed"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "terraform"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "terraform"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "aws"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
clusterCreation: "terraform"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "terraform"
# s3proxy test on latest k8s version
- test: "s3proxy"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "cli"
@ -246,17 +302,22 @@ jobs:
# verify test on default k8s version
- test: "verify"
refStream: "ref/release/stream/stable/?"
provider: "gcp"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "verify"
refStream: "ref/release/stream/stable/?"
provider: "azure"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "verify"
refStream: "ref/release/stream/stable/?"
provider: "aws"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "verify"
refStream: "ref/release/stream/stable/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.28"
clusterCreation: "cli"
@ -274,13 +335,23 @@ jobs:
fetch-depth: 0
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Split attestationVariant
id: split-attestationVariant
shell: bash
run: |
attestationVariant="${{ matrix.attestationVariant }}"
cloudProvider="${attestationVariant%%-*}"
echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"
- name: Run E2E test
id: e2e_test
uses: ./.github/actions/e2e_test
with:
workerNodesCount: "2"
controlNodesCount: "3"
cloudProvider: ${{ matrix.provider }}
cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
attestationVariant: ${{ matrix.attestationVariant }}
osImage: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || needs.find-latest-image.outputs.image-main-debug }}
isDebugImage: ${{ matrix.refStream == 'ref/main/stream/debug/?' }}
cliVersion: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || '' }}
@ -313,7 +384,7 @@ jobs:
with:
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
clusterCreation: ${{ matrix.clusterCreation }}
cloudProvider: ${{ matrix.provider }}
cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
@ -321,7 +392,7 @@ jobs:
if: always()
uses: ./.github/actions/constellation_iam_destroy
with:
cloudProvider: ${{ matrix.provider }}
cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
@ -337,7 +408,7 @@ jobs:
refStream: ${{ matrix.refStream }}
test: ${{ matrix.test }}
kubernetesVersion: ${{ matrix.kubernetes-version }}
provider: ${{ matrix.provider }}
provider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
clusterCreation: ${{ matrix.clusterCreation }}
e2e-upgrade:
@ -346,7 +417,7 @@ jobs:
max-parallel: 1
matrix:
fromVersion: ["v2.14.0"]
cloudProvider: ["gcp", "azure", "aws"]
attestationVariant: ["gcp-sev-es", "azure-sev-snp", "aws-sev-snp"] # TODO(v2.15) Add azure-tdx to test matrix
name: Run upgrade tests
secrets: inherit
permissions:
@ -357,7 +428,7 @@ jobs:
uses: ./.github/workflows/e2e-upgrade.yml
with:
fromVersion: ${{ matrix.fromVersion }}
cloudProvider: ${{ matrix.cloudProvider }}
attestationVariant: ${{ matrix.attestationVariant }}
nodeCount: '3:2'
scheduled: ${{ github.event_name == 'schedule' }}

46
.github/workflows/e2e-test.yml vendored
View File

@ -7,14 +7,15 @@ on:
description: "Number of nodes to use in the cluster. Given in format `<control-plane nodes>:<worker nodes>`."
default: "3:2"
type: string
cloudProvider:
description: "Which cloud provider to use."
attestationVariant:
description: "Which attestation variant to use."
type: choice
options:
- "gcp"
- "azure"
- "aws"
default: "azure"
- "gcp-sev-es"
- "azure-sev-snp"
- "azure-tdx"
- "aws-sev-snp"
default: "azure-sev-snp"
required: true
runner:
description: "Architecture of the runner that executes the CLI"
@ -71,8 +72,8 @@ on:
description: "Number of nodes to use in the cluster. Given in format `<control-plane nodes>:<worker nodes>`."
default: "3:2"
type: string
cloudProvider:
description: "Which cloud provider to use."
attestationVariant:
description: "Which attestation variant to use."
type: string
required: true
runner:
@ -124,8 +125,8 @@ on:
type: boolean
jobs:
split-nodeCount:
name: Split nodeCount
generate-input-parameters:
name: Generate input parameters
runs-on: ubuntu-22.04
permissions:
id-token: write
@ -133,6 +134,7 @@ jobs:
outputs:
workerNodes: ${{ steps.split-nodeCount.outputs.workerNodes }}
controlPlaneNodes: ${{ steps.split-nodeCount.outputs.controlPlaneNodes }}
cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
steps:
- name: Split nodeCount
id: split-nodeCount
@ -150,6 +152,15 @@ jobs:
echo "workerNodes=${workerNodes}" | tee -a "$GITHUB_OUTPUT"
echo "controlPlaneNodes=${controlPlaneNodes}" | tee -a "$GITHUB_OUTPUT"
- name: Split attestationVariant
id: split-attestationVariant
shell: bash
run: |
attestationVariant="${{ inputs.attestationVariant }}"
cloudProvider="${attestationVariant%%-*}"
echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"
find-latest-image:
name: Select image
runs-on: ubuntu-22.04
@ -188,7 +199,7 @@ jobs:
checks: write
contents: read
packages: write
needs: [find-latest-image, split-nodeCount]
needs: [find-latest-image, generate-input-parameters]
if: always() && !cancelled()
steps:
- name: Install basic tools (macOS)
@ -209,16 +220,17 @@ jobs:
ref: ${{ inputs.git-ref }}
- name: Set up gcloud CLI (macOS)
if: inputs.cloudProvider == 'gcp' && runner.os == 'macOS'
if: ${{ needs.generate-input-parameters.outputs.cloudProvider }} == 'gcp' && runner.os == 'macOS'
uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
- name: Run manual E2E test
id: e2e_test
uses: ./.github/actions/e2e_test
with:
workerNodesCount: ${{ needs.split-nodeCount.outputs.workerNodes }}
controlNodesCount: ${{ needs.split-nodeCount.outputs.controlPlaneNodes }}
cloudProvider: ${{ inputs.cloudProvider }}
workerNodesCount: ${{ needs.generate-input-parameters.outputs.workerNodes }}
controlNodesCount: ${{ needs.generate-input-parameters.outputs.controlPlaneNodes }}
cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
attestationVariant: ${{ inputs.attestationVariant }}
machineType: ${{ inputs.machineType }}
regionZone: ${{ inputs.regionZone }}
gcpProject: constellation-e2e
@ -254,7 +266,7 @@ jobs:
with:
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
clusterCreation: ${{ inputs.clusterCreation }}
cloudProvider: ${{ inputs.cloudProvider }}
cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
@ -262,6 +274,6 @@ jobs:
if: always()
uses: ./.github/actions/constellation_iam_destroy
with:
cloudProvider: ${{ inputs.cloudProvider }}
cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"

71
.github/workflows/e2e-upgrade.yml vendored
View File

@ -3,14 +3,16 @@ name: e2e test upgrade
on:
workflow_dispatch:
inputs:
cloudProvider:
description: "Which cloud provider to use."
attestationVariant:
description: "Which attestation variant to use."
type: choice
options:
- "gcp"
- "azure"
- "aws"
default: "azure"
- "gcp-sev-es"
- "azure-sev-snp"
- "azure-tdx"
- "aws-sev-snp"
default: "azure-sev-snp"
required: true
nodeCount:
description: "Number of nodes to use in the cluster. Given in format `<control-plane nodes>:<worker nodes>`."
default: "3:2"
@ -45,8 +47,8 @@ on:
type: string
workflow_call:
inputs:
cloudProvider:
description: "Which cloud provider to use."
attestationVariant:
description: "Which attestation variant to use."
type: string
required: true
nodeCount:
@ -85,8 +87,8 @@ on:
required: false
jobs:
split-nodeCount:
name: Split nodeCount
generate-input-parameters:
name: Generate input parameters
runs-on: ubuntu-22.04
permissions:
id-token: write
@ -94,6 +96,7 @@ jobs:
outputs:
workerNodes: ${{ steps.split-nodeCount.outputs.workerNodes }}
controlPlaneNodes: ${{ steps.split-nodeCount.outputs.controlPlaneNodes }}
cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
steps:
- name: Split nodeCount
id: split-nodeCount
@ -111,6 +114,15 @@ jobs:
echo "workerNodes=${workerNodes}" | tee -a "$GITHUB_OUTPUT"
echo "controlPlaneNodes=${controlPlaneNodes}" | tee -a "$GITHUB_OUTPUT"
- name: Split attestationVariant
id: split-attestationVariant
shell: bash
run: |
attestationVariant="${{ inputs.attestationVariant }}"
cloudProvider="${attestationVariant%%-*}"
echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"
build-target-cli:
name: Build upgrade target version CLI
runs-on: ubuntu-22.04
@ -173,7 +185,7 @@ jobs:
checks: write
contents: read
packages: write
needs: [split-nodeCount]
needs: [generate-input-parameters]
outputs:
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
steps:
@ -200,9 +212,10 @@ jobs:
id: e2e_test
uses: ./.github/actions/e2e_test
with:
workerNodesCount: ${{ needs.split-nodeCount.outputs.workerNodes }}
controlNodesCount: ${{ needs.split-nodeCount.outputs.controlPlaneNodes }}
cloudProvider: ${{ inputs.cloudProvider }}
workerNodesCount: ${{ needs.generate-input-parameters.outputs.workerNodes }}
controlNodesCount: ${{ needs.generate-input-parameters.outputs.controlPlaneNodes }}
cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
attestationVariant: ${{ inputs.attestationVariant }}
osImage: ${{ inputs.fromVersion }}
isDebugImage: "false"
cliVersion: ${{ inputs.fromVersion }}
@ -243,7 +256,7 @@ jobs:
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Upload SA Key
if: always() && inputs.cloudProvider == 'gcp'
if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'gcp'
uses: ./.github/actions/artifact_upload
with:
name: sa-key
@ -260,7 +273,7 @@ jobs:
contents: read
packages: write
needs:
- split-nodeCount
- generate-input-parameters
- build-target-cli
- create-cluster
steps:
@ -300,13 +313,13 @@ jobs:
stream: nightly
- name: Login to GCP (IAM service account)
if: inputs.cloudProvider == 'gcp'
if: needs.generate-input-parameters.outputs.cloudProvider == 'gcp'
uses: ./.github/actions/login_gcp
with:
service_account: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
- name: Login to AWS (IAM role)
if: inputs.cloudProvider == 'aws'
if: needs.generate-input-parameters.outputs.cloudProvider == 'aws'
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
@ -315,7 +328,7 @@ jobs:
role-duration-seconds: 21600
- name: Login to Azure (IAM service principal)
if: inputs.cloudProvider == 'azure'
if: needs.generate-input-parameters.outputs.cloudProvider == 'azure'
uses: ./.github/actions/login_azure
with:
azure_credentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
@ -333,7 +346,7 @@ jobs:
encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
- name: Download SA Key
if: inputs.cloudProvider == 'gcp'
if: needs.generate-input-parameters.outputs.cloudProvider == 'gcp'
uses: ./.github/actions/artifact_download
with:
name: sa-key
@ -356,13 +369,13 @@ jobs:
uses: ./.github/actions/constellation_iam_upgrade
- name: Login to GCP (Cluster service account)
if: always() && inputs.cloudProvider == 'gcp'
if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'gcp'
uses: ./.github/actions/login_gcp
with:
service_account: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
- name: Login to AWS (Cluster role)
if: always() && inputs.cloudProvider == 'aws'
if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'aws'
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
@ -371,7 +384,7 @@ jobs:
role-duration-seconds: 21600
- name: Login to Azure (Cluster service principal)
if: always() && inputs.cloudProvider == 'azure'
if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'azure'
uses: ./.github/actions/login_azure
with:
azure_credentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
@ -382,8 +395,8 @@ jobs:
IMAGE: ${{ inputs.toImage && inputs.toImage || steps.find-image.outputs.output }}
KUBERNETES: ${{ inputs.toKubernetes }}
MICROSERVICES: ${{ inputs.toMicroservices }}
WORKERNODES: ${{ needs.split-nodeCount.outputs.workerNodes }}
CONTROLNODES: ${{ needs.split-nodeCount.outputs.controlPlaneNodes }}
WORKERNODES: ${{ needs.generate-input-parameters.outputs.workerNodes }}
CONTROLNODES: ${{ needs.generate-input-parameters.outputs.controlPlaneNodes }}
run: |
echo "Image target: $IMAGE"
echo "K8s target: $KUBERNETES"
@ -427,7 +440,7 @@ jobs:
contents: read
packages: write
if: always()
needs: [create-cluster, e2e-upgrade]
needs: [generate-input-parameters, create-cluster, e2e-upgrade]
steps:
- name: Checkout
if: inputs.gitRef == 'head'
@ -496,7 +509,7 @@ jobs:
with:
clusterCreation: "cli"
kubeconfig: ${{ needs.create-cluster.outputs.kubeconfig }}
cloudProvider: ${{ inputs.cloudProvider }}
cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
@ -504,7 +517,7 @@ jobs:
if: always()
uses: ./.github/actions/constellation_iam_destroy
with:
cloudProvider: ${{ inputs.cloudProvider }}
cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
@ -520,4 +533,4 @@ jobs:
with:
projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }}
test: "upgrade"
provider: ${{ inputs.cloudProvider }}
provider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}

1
debugd/internal/debugd/logcollector/fields.go
View File

@ -36,6 +36,7 @@ var (
"github.ref-stream": {},
"github.kubernetes-version": {},
"github.cluster-creation": {},
"github.attestation-variant": {},
"deployment-type": {}, // deployment type, e.g. "debugd", "k8s"
}
)