Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-09-18 23:36:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci: Terraform provider e2e tests (#2712)

Browse Source 
* Refactor selfManagedInfra input to clusterCreation in e2e tests
* Run e2e test using terraform provider
* Allow insecure measurement fetching in Terraform provider
* Run Terraform provider test instead of module test in weekly runs

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2023-12-15 10:37:29 +01:00 committed by GitHub
parent 9667dfff58
commit 724ee44466
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 415 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.github/actions/cdbg_deploy/action.yml vendored
View File

@ -20,9 +20,9 @@ inputs:
refStream:
description: "The refStream of the image the test runs on."
required: true
selfManagedInfra:
description: "Use self-managed infrastructure instead of infrastructure created by the Constellation CLI."
default: "false"
clusterCreation:
description: "How the infrastructure for the e2e test was created. One of [cli, self-managed, terraform]."
default: "cli"
runs:
using: "composite"
@ -97,7 +97,7 @@ runs:
--info logcollect.github.is-debug-cluster=false \
--info logcollect.github.ref-stream="${{ inputs.refStream }}" \
--info logcollect.github.kubernetes-version="${{ inputs.kubernetesVersion }}" \
--info logcollect.github.self-managed-infra="${{ inputs.selfManagedInfra }}" \
--info logcollect.github.cluster-creation="${{ inputs.clusterCreation }}" \
--info logcollect.deployment-type="debugd" \
--verbosity=-1 \
--force

33
.github/actions/constellation_create/action.yml vendored
View File

@ -50,9 +50,9 @@ inputs:
internalLoadBalancer:
description: "Whether to use an internal load balancer for the control plane"
required: false
selfManagedInfra:
description: "Use self-managed infrastructure instead of infrastructure created by the Constellation CLI."
required: true
clusterCreation:
description: "How to create infrastructure for the e2e test. One of [cli, self-managed, terraform]."
default: "cli"
marketplaceImageVersion:
description: "Marketplace OS image version. Used instead of osImage."
required: false
@ -63,7 +63,7 @@ inputs:
outputs:
kubeconfig:
description: "The kubeconfig for the cluster."
value: ${{ steps.constellation-init.outputs.KUBECONFIG }}
value: ${{ steps.get-kubeconfig.outputs.KUBECONFIG }}
osImageUsed:
description: "The OS image used in the cluster."
value: ${{ steps.setImage.outputs.image }}
@ -148,7 +148,7 @@ runs:
sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts' || true
- name: Constellation create (CLI)
if : inputs.selfManagedInfra != 'true'
if : inputs.clusterCreation != 'self-managed'
shell: bash
run: |
# TODO(v2.14): Remove workaround for CLIs not supporting apply command
@ -159,7 +159,7 @@ runs:
constellation $cmd -y --debug --tf-log=DEBUG
- name: Constellation create (self-managed)
if : inputs.selfManagedInfra == 'true'
if : inputs.clusterCreation == 'self-managed'
uses: ./.github/actions/self_managed_create
with:
cloudProvider: ${{ inputs.cloudProvider }}
@ -174,7 +174,7 @@ runs:
azureIAMCreateCredentials: ${{ inputs.azureIAMCreateCredentials }}
refStream: ${{ inputs.refStream }}
kubernetesVersion: ${{ inputs.kubernetesVersion }}
selfManagedInfra: ${{ inputs.selfManagedInfra }}
clusterCreation: ${{ inputs.clusterCreation }}
- name: Set force flag
id: set-force-flag
@ -183,17 +183,30 @@ runs:
run: |
echo "flag=--force" | tee -a $GITHUB_OUTPUT
- name: Constellation init
id: constellation-init
- name: Constellation apply (Terraform)
id: constellation-apply-terraform
if: inputs.clusterCreation == 'terraform'
uses: ./.github/actions/terraform_apply
with:
cloudProvider: ${{ inputs.cloudProvider }}
- name: Constellation apply
id: constellation-apply-cli
if: inputs.clusterCreation != 'terraform'
shell: bash
run: |
constellation apply --skip-phases=infrastructure --debug ${{ steps.set-force-flag.outputs.flag }}
- name: Get kubeconfig
id: get-kubeconfig
shell: bash
run: |
echo "KUBECONFIG=$(pwd)/constellation-admin.conf" | tee -a $GITHUB_OUTPUT
- name: Wait for nodes to join and become ready
shell: bash
env:
KUBECONFIG: "${{ steps.constellation-init.outputs.KUBECONFIG }}"
KUBECONFIG: "${{ steps.get-kubeconfig.outputs.KUBECONFIG }}"
JOINTIMEOUT: "1200" # 20 minutes timeout for all nodes to join
run: |
echo "::group::Wait for nodes"

10
.github/actions/constellation_destroy/action.yml vendored
View File

@ -5,9 +5,9 @@ inputs:
kubeconfig:
description: "The kubeconfig for the cluster."
required: true
selfManagedInfra:
description: "Use self-managed infrastructure instead of infrastructure created by the Constellation CLI."
required: true
clusterCreation:
description: "How the infrastructure for the e2e test was created. One of [cli, self-managed, terraform]."
default: "cli"
gcpClusterDeleteServiceAccount:
description: "Service account with permissions to delete a Constellation cluster on GCP."
required: true
@ -72,13 +72,13 @@ runs:
azure_credentials: ${{ inputs.azureClusterDeleteCredentials }}
- name: Constellation terminate
if: inputs.selfManagedInfra != 'true'
if: inputs.clusterCreation != 'self-managed'
shell: bash
run: |
constellation terminate --yes --tf-log=DEBUG
- name: Constellation terminate (self-managed)
if: inputs.selfManagedInfra == 'true'
if: inputs.clusterCreation == 'self-managed'
shell: bash
working-directory: ${{ github.workspace }}/e2e-infra
run: |

8
.github/actions/deploy_logcollection/action.yml vendored
View File

@ -29,9 +29,9 @@ inputs:
kubernetesVersion:
description: "Kubernetes version of the cluster"
required: false
selfManagedInfra:
description: "Use self-managed infrastructure instead of infrastructure created by the Constellation CLI."
default: "false"
clusterCreation:
description: "How the infrastructure for the e2e test was created. One of [cli, self-managed, terraform]."
default: "cli"
runs:
using: "composite"
@ -57,7 +57,7 @@ runs:
--fields github.e2e-test-provider="${{ inputs.provider }}" \
--fields github.ref-stream="${{ inputs.refStream }}" \
--fields github.kubernetes-version="${{ inputs.kubernetesVersion }}" \
--fields github.self-managed-infra="${{ inputs.selfManagedInfra }}" \
--fields github.cluster-creation="${{ inputs.clusterCreation }}" \
--fields deployment-type="k8s"
# Make sure that helm is installed

32
.github/actions/e2e_test/action.yml vendored
View File

@ -73,9 +73,9 @@ inputs:
description: "Enable security policy for the cluster."
internalLoadBalancer:
description: "Enable internal load balancer for the cluster."
selfManagedInfra:
description: "Use self-managed infrastructure instead of infrastructure created by the Constellation CLI."
default: "false"
clusterCreation:
description: "How to create infrastructure for the e2e test. One of [cli, self-managed, terraform]."
default: "cli"
s3AccessKey:
description: "Access key for s3proxy"
s3SecretKey:
@ -166,6 +166,28 @@ runs:
# Do not spam license server from pipeline
sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
- name: Build Terraform provider binary
if: inputs.clusterCreation == 'terraform' && inputs.cliVersion == ''
uses: ./.github/actions/build_tf_provider
with:
targetOS: ${{ steps.determine-build-target.outputs.hostOS }}
targetArch: ${{ steps.determine-build-target.outputs.hostArch }}
outputPath: "build/terraform-provider-constellation"
- name: Move Terraform provider binary
if: inputs.clusterCreation == 'terraform' && inputs.cliVersion == ''
shell: bash
run: |
bazel build //bazel/settings:tag
repository_root=$(git rev-parse --show-toplevel)
out_rel=$(bazel cquery --output=files //bazel/settings:tag)
build_version=$(cat "$(realpath "${repository_root}/${out_rel}")")
terraform_provider_dir="${HOME}/.terraform.d/plugins/registry.terraform.io/edgelesssys/constellation/${build_version#v}/${{ steps.determine-build-target.outputs.hostOS }}_${{ steps.determine-build-target.outputs.hostArch }}/"
mkdir -p "${terraform_provider_dir}"
mv build/terraform-provider-constellation "${terraform_provider_dir}/terraform-provider-constellation_${build_version}"
- name: Build the bootstrapper
id: build-bootstrapper
if: inputs.isDebugImage == 'true'
@ -271,7 +293,7 @@ runs:
refStream: ${{ inputs.refStream }}
internalLoadBalancer: ${{ inputs.internalLoadBalancer }}
test: ${{ inputs.test }}
selfManagedInfra: ${{ inputs.selfManagedInfra }}
clusterCreation: ${{ inputs.clusterCreation }}
marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
force: ${{ inputs.force }}
@ -288,7 +310,7 @@ runs:
isDebugImage: ${{ inputs.isDebugImage }}
kubernetesVersion: ${{ inputs.kubernetesVersion }}
refStream: ${{ inputs.refStream }}
selfManagedInfra: ${{ inputs.selfManagedInfra }}
clusterCreation: ${{ inputs.clusterCreation }}
#
# Test payloads

5
.github/actions/notify_e2e_failure/action.yml vendored
View File

@ -17,8 +17,8 @@ inputs:
kubernetesVersion:
description: "Kubernetes version"
required: false
selfManagedInfra:
description: "Use self-managed infrastructure instead of infrastructure created by the Constellation CLI."
clusterCreation:
description: "How the infrastructure for the e2e test was created. One of [cli, self-managed, terraform]."
default: "false"
runs:
@ -66,6 +66,7 @@ runs:
workflow: ${{ github.workflow }}
kubernetesVersion: ${{ inputs.kubernetesVersion }}
cloudProvider: ${{ inputs.provider }}
clusterCreation: ${{ inputs.clusterCreation }}
test: ${{ inputs.test }}
refStream: ${{ inputs.refStream }}
token: ${{ inputs.projectWriteToken }}

157
.github/actions/terraform_apply/action.yml vendored Normal file
View File

@ -0,0 +1,157 @@
name: Terraform provider apply
description: "Create/Apply a Constellation cluster using the Terraform provider."
inputs:
cloudProvider:
description: "The cloud provider the test runs on."
required: true
runs:
using: "composite"
steps:
- name: Create Terraform file
shell: bash
run: |
attestationVariant=""
case "$(yq '.attestation | keys | .[0]' constellation-conf.yaml)" in
"awsSEVSNP")
attestationVariant="aws-sev-snp"
;;
"azureSEVSNP")
attestationVariant="azure-sev-snp"
;;
"gcpSEVES")
attestationVariant="gcp-sev-es"
;;
*)
echo "Unknown attestation variant: $(yq '.attestation | keys | .[0]' constellation-conf.yaml)"
exit 1
;;
esac
cat << EOF > main.tf
terraform {
required_providers {
constellation = {
source = "edgelesssys/constellation"
version = "$(yq '.microserviceVersion' constellation-conf.yaml | sed 's/^v//')"
}
random = {
source = "hashicorp/random"
version = "3.6.0"
}
}
}
resource "random_bytes" "master_secret" {
length = 32
}
resource "random_bytes" "master_secret_salt" {
length = 32
}
resource "random_bytes" "measurement_salt" {
length = 32
}
data "constellation_attestation" "con_attestation" {
csp = "${{ inputs.cloudProvider }}"
attestation_variant = "${attestationVariant}"
image_version = "$(yq '.image' constellation-conf.yaml)"
maa_url = "$(yq '.infrastructure.azure.attestationURL' constellation-state.yaml)"
insecure = true
}
data "constellation_image" "con_image" {
image_version = "$(yq '.image' constellation-conf.yaml)"
attestation_variant = "${attestationVariant}"
csp = "${{ inputs.cloudProvider }}"
region = "$(yq '.provider.aws.region' constellation-conf.yaml)"
}
resource "constellation_cluster" "cluster" {
csp = "${{ inputs.cloudProvider }}"
constellation_microservice_version = "$(yq '.microserviceVersion' constellation-conf.yaml)"
name = "$(yq '.name' constellation-conf.yaml)"
uid = "$(yq '.infrastructure.uid' constellation-state.yaml)"
image_reference = data.constellation_image.con_image.reference
image_version = "$(yq '.microserviceVersion' constellation-conf.yaml)"
attestation = data.constellation_attestation.con_attestation.attestation
init_secret = "$(yq '.infrastructure.initSecret' constellation-state.yaml | xxd -r -p)"
master_secret = random_bytes.master_secret.hex
master_secret_salt = random_bytes.master_secret_salt.hex
measurement_salt = random_bytes.measurement_salt.hex
out_of_cluster_endpoint = "$(yq '.infrastructure.clusterEndpoint' constellation-state.yaml)"
in_cluster_endpoint = "$(yq '.infrastructure.inClusterEndpoint' constellation-state.yaml)"
azure = {
count = "$(yq '.provider | keys | .[0]' constellation-conf.yaml)" == "azure" ? 1 : 0
tenant_id = "$(yq '.provider.azure.tenant' constellation-conf.yaml)"
subscription_id = "$(yq '.infrastructure.azure.subscriptionID' constellation-state.yaml)"
uami_client_id = "$(yq '.infrastructure.azure.userAssignedIdentity' constellation-state.yaml)"
uami_resource_id = "$(yq '.provider.azure.userAssignedIdentity' constellation-conf.yaml)"
location = "$(yq '.provider.azure.location' constellation-conf.yaml)"
resource_group = "$(yq '.infrastructure.azure.resourceGroup' constellation-state.yaml)"
load_balancer_name = "$(yq '.infrastructure.azure.loadBalancerName' constellation-state.yaml)"
network_security_group_name = "$(yq '.infrastructure.azure.networkSecurityGroupName' constellation-state.yaml)"
}
gcp = {
count = "$(yq '.provider | keys | .[0]' constellation-conf.yaml)" == "gcp" ? 1 : 0
project_id = "$(yq '.infrastructure.gcp.projectID' constellation-state.yaml)"
service_account_key = sensitive("$(cat $(yq '.provider.gcp.serviceAccountKeyPath' constellation-conf.yaml) | base64 -w0)")
}
network_config = {
ip_cidr_node = "$(yq '.infrastructure.ipCidrNode' constellation-state.yaml)"
ip_cidr_service = "$(yq '.serviceCIDR' constellation-conf.yaml)"
ip_cidr_pod = "$(yq '.infrastructure.gcp.ipCidrPod' constellation-state.yaml)" # This is null for everything but GCP
}
}
output "master_secret" {
value = random_bytes.master_secret.base64
sensitive = true
}
output "master_secret_salt" {
value = random_bytes.master_secret_salt.base64
sensitive = true
}
output "measurement_salt" {
value = random_bytes.measurement_salt.hex
sensitive = true
}
output "cluster_id" {
value = constellation_cluster.cluster.cluster_id
}
output "owner_id" {
value = constellation_cluster.cluster.owner_id
}
output "kubeconfig" {
value = constellation_cluster.cluster.kubeconfig
sensitive = true
}
EOF
- name: Apply Terraform configuration
shell: bash
run: |
terraform init
terraform apply -auto-approve
- name: Write output
shell: bash
run: |
terraform output -raw kubeconfig > "$(pwd)/constellation-admin.conf"
yq -i ".clusterValues.measurementSalt = $(terraform output measurement_salt)" constellation-state.yaml
yq -i ".clusterValues.clusterID = $(terraform output cluster_id)" constellation-state.yaml
yq -i ".clusterValues.ownerID = $(terraform output owner_id)" constellation-state.yaml
cat << EOF > constellation-mastersecret.json
{
"key": "$(terraform output -raw master_secret)",
"salt": "$(terraform output -raw master_secret_salt)"
}
EOF

6
.github/workflows/e2e-test-daily.yml vendored
View File

@ -90,14 +90,14 @@ jobs:
awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
selfManagedInfra: "false"
clusterCreation: "cli"
- name: Always terminate cluster
if: always()
uses: ./.github/actions/constellation_destroy
with:
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
selfManagedInfra: "false"
clusterCreation: "cli"
cloudProvider: ${{ matrix.provider }}
azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
@ -123,7 +123,7 @@ jobs:
test: ${{ matrix.test }}
kubernetesVersion: ${{ matrix.kubernetesVersion }}
provider: ${{ matrix.provider }}
selfManagedInfra: "false"
clusterCreation: "cli"
e2e-mini:
name: Run miniconstellation E2E test

35
.github/workflows/e2e-test-release.yml vendored
View File

@ -49,107 +49,130 @@ jobs:
provider: "gcp"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
provider: "azure"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
provider: "aws"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
provider: "gcp"
kubernetes-version: "v1.27"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
provider: "azure"
kubernetes-version: "v1.27"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
provider: "aws"
kubernetes-version: "v1.27"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
provider: "gcp"
kubernetes-version: "v1.26"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
provider: "azure"
kubernetes-version: "v1.26"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "sonobuoy full"
provider: "aws"
kubernetes-version: "v1.26"
runner: "ubuntu-22.04"
clusterCreation: "cli"
# verify test on latest k8s version
- test: "verify"
provider: "gcp"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "verify"
provider: "azure"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "verify"
provider: "aws"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
# recover test on latest k8s version
- test: "recover"
provider: "gcp"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "recover"
provider: "azure"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "recover"
provider: "aws"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
# lb test on latest k8s version
- test: "lb"
provider: "gcp"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "lb"
provider: "azure"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "lb"
provider: "aws"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
# autoscaling test on latest k8s version
- test: "autoscaling"
provider: "gcp"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "autoscaling"
provider: "azure"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "autoscaling"
provider: "aws"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
# perf-bench test on latest k8s version, not supported on AWS
- test: "perf-bench"
provider: "gcp"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
- test: "perf-bench"
provider: "azure"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
# self-managed infra test on latest k8s version
# runs Sonobuoy full test
@ -157,17 +180,17 @@ jobs:
provider: "gcp"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
selfManagedInfra: "true"
clusterCreation: "self-managed"
- test: "sonobuoy full"
provider: "azure"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
selfManagedInfra: "true"
clusterCreation: "self-managed"
- test: "sonobuoy full"
provider: "aws"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
selfManagedInfra: "true"
clusterCreation: "self-managed"
# s3proxy test on latest k8s version
- test: "s3proxy"
@ -175,6 +198,7 @@ jobs:
provider: "gcp"
kubernetes-version: "v1.28"
runner: "ubuntu-22.04"
clusterCreation: "cli"
#
# Tests on macOS runner
@ -189,6 +213,7 @@ jobs:
provider: "gcp"
kubernetes-version: "v1.28"
runner: "macos-12"
clusterCreation: "cli"
runs-on: ${{ matrix.runner }}
permissions:
id-token: write
@ -237,7 +262,7 @@ jobs:
cosignPassword: ${{ secrets.COSIGN_PASSWORD }}
cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
githubToken: ${{ secrets.GITHUB_TOKEN }}
selfManagedInfra: ${{ matrix.selfManagedInfra == 'true' }}
clusterCreation: ${{ matrix.clusterCreation }}
s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
@ -246,7 +271,7 @@ jobs:
uses: ./.github/actions/constellation_destroy
with:
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
selfManagedInfra: ${{ matrix.selfManagedInfra == 'true' }}
clusterCreation: ${{ matrix.clusterCreation }}
cloudProvider: ${{ matrix.provider }}
azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"

2
.github/workflows/e2e-test-self-managed.yml vendored
View File

@ -85,4 +85,4 @@ jobs:
machineType: ${{ inputs.machineType }}
regionZone: ${{ inputs.regionZone }}
git-ref: ${{ inputs.git-ref }}
selfManagedInfra: true
clusterCreation: "self-managed"

88
.github/workflows/e2e-test-terraform-provider.yml vendored Normal file
View File

@ -0,0 +1,88 @@
name: e2e test Terraform provider
on:
workflow_dispatch:
inputs:
nodeCount:
description: "Number of nodes to use in the cluster. Given in format `<control-plane nodes>:<worker nodes>`."
default: "3:2"
type: string
cloudProvider:
description: "Which cloud provider to use."
type: choice
options:
- "gcp"
- "azure"
- "aws"
default: "azure"
required: true
runner:
description: "Architecture of the runner that executes the CLI"
type: choice
options:
- "ubuntu-22.04"
- "macos-12"
default: "ubuntu-22.04"
test:
description: "The test to run."
type: choice
options:
- "sonobuoy quick"
- "sonobuoy full"
- "autoscaling"
- "lb"
- "perf-bench"
- "verify"
- "recover"
- "malicious join"
- "nop"
required: true
kubernetesVersion:
description: "Kubernetes version to create the cluster from."
default: "1.27"
required: true
releaseVersion:
description: "Version of a released provider to download. Leave empty to build the provider from the checked out ref."
type: string
default: ""
required: false
imageVersion:
description: "Full name of OS image (CSP independent image version UID). Leave empty for latest debug image on main."
type: string
default: ""
required: false
machineType:
description: "Override VM machine type. Leave as 'default' or empty to use the default VM type for the selected cloud provider."
type: string
default: "default"
required: false
regionZone:
description: "Region or zone to create the cluster in. Leave empty for default region/zone."
type: string
git-ref:
description: "Git ref to checkout."
type: string
default: "head"
required: false
jobs:
e2e-test:
permissions:
id-token: write
checks: write
contents: read
packages: write
secrets: inherit
uses: ./.github/workflows/e2e-test.yml
with:
nodeCount: ${{ inputs.nodeCount }}
cloudProvider: ${{ inputs.cloudProvider }}
runner: ${{ inputs.runner }}
test: ${{ inputs.test }}
kubernetesVersion: ${{ inputs.kubernetesVersion }}
cliVersion: ${{ inputs.releaseVersion }}
imageVersion: ${{ inputs.imageVersion }}
machineType: ${{ inputs.machineType }}
regionZone: ${{ inputs.regionZone }}
git-ref: ${{ inputs.git-ref }}
clusterCreation: "terraform"

58
.github/workflows/e2e-test-weekly.yml vendored
View File

@ -56,121 +56,147 @@ jobs:
refStream: "ref/main/stream/debug/?"
provider: "gcp"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "azure"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "aws"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
kubernetes-version: "v1.27"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "azure"
kubernetes-version: "v1.27"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "aws"
kubernetes-version: "v1.27"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
kubernetes-version: "v1.26"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "azure"
kubernetes-version: "v1.26"
clusterCreation: "cli"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "aws"
kubernetes-version: "v1.26"
clusterCreation: "cli"
# verify test on latest k8s version
- test: "verify"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "verify"
refStream: "ref/main/stream/debug/?"
provider: "azure"
kubernetes-version: "v1.28"
azureSNPEnforcementPolicy: "equal" # This run checks for unknown ID Key disgests.
clusterCreation: "cli"
- test: "verify"
provider: "aws"
refStream: "ref/main/stream/debug/?"
kubernetes-version: "v1.28"
clusterCreation: "cli"
# recover test on latest k8s version
- test: "recover"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "recover"
refStream: "ref/main/stream/debug/?"
provider: "azure"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "recover"
refStream: "ref/main/stream/debug/?"
provider: "aws"
kubernetes-version: "v1.28"
clusterCreation: "cli"
# lb test on latest k8s version
- test: "lb"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "lb"
refStream: "ref/main/stream/debug/?"
provider: "azure"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "lb"
refStream: "ref/main/stream/debug/?"
provider: "aws"
kubernetes-version: "v1.28"
clusterCreation: "cli"
# autoscaling test on latest k8s version
- test: "autoscaling"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "autoscaling"
refStream: "ref/main/stream/debug/?"
provider: "azure"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "autoscaling"
refStream: "ref/main/stream/debug/?"
provider: "aws"
kubernetes-version: "v1.28"
clusterCreation: "cli"
# perf-bench test on latest k8s version, not supported on AWS
- test: "perf-bench"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "perf-bench"
refStream: "ref/main/stream/debug/?"
provider: "azure"
kubernetes-version: "v1.28"
clusterCreation: "cli"
# malicious join test on latest k8s version
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
provider: "azure"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
provider: "aws"
kubernetes-version: "v1.28"
clusterCreation: "cli"
# self-managed infra test on latest k8s version
# with Sonobuoy full
@ -178,23 +204,40 @@ jobs:
refStream: "ref/main/stream/debug/?"
provider: "gcp"
kubernetes-version: "v1.28"
selfManagedInfra: "true"
clusterCreation: "self-managed"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "azure"
kubernetes-version: "v1.28"
selfManagedInfra: "true"
clusterCreation: "self-managed"
- test: "sonobuoy full"
provider: "aws"
refStream: "ref/main/stream/debug/?"
kubernetes-version: "v1.28"
selfManagedInfra: "true"
clusterCreation: "self-managed"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
kubernetes-version: "v1.28"
clusterCreation: "terraform"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "azure"
kubernetes-version: "v1.28"
clusterCreation: "terraform"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
provider: "aws"
kubernetes-version: "v1.28"
clusterCreation: "terraform"
# s3proxy test on latest k8s version
- test: "s3proxy"
refStream: "ref/main/stream/debug/?"
provider: "gcp"
kubernetes-version: "v1.28"
clusterCreation: "cli"
#
# Tests on release-stable refStream
@ -205,14 +248,17 @@ jobs:
refStream: "ref/release/stream/stable/?"
provider: "gcp"
kubernetes-version: "v1.27"
clusterCreation: "cli"
- test: "verify"
refStream: "ref/release/stream/stable/?"
provider: "azure"
kubernetes-version: "v1.27"
clusterCreation: "cli"
- test: "verify"
refStream: "ref/release/stream/stable/?"
provider: "aws"
kubernetes-version: "v1.27"
clusterCreation: "cli"
runs-on: ubuntu-22.04
permissions:
@ -256,7 +302,7 @@ jobs:
cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
fetchMeasurements: ${{ matrix.refStream != 'ref/release/stream/stable/?' }}
azureSNPEnforcementPolicy: ${{ matrix.azureSNPEnforcementPolicy }}
selfManagedInfra: ${{ matrix.selfManagedInfra == 'true' }}
clusterCreation: ${{ matrix.clusterCreation }}
s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
@ -265,7 +311,7 @@ jobs:
uses: ./.github/actions/constellation_destroy
with:
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
selfManagedInfra: ${{ matrix.selfManagedInfra == 'true' }}
clusterCreation: ${{ matrix.clusterCreation }}
cloudProvider: ${{ matrix.provider }}
azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
@ -291,7 +337,7 @@ jobs:
test: ${{ matrix.test }}
kubernetesVersion: ${{ matrix.kubernetes-version }}
provider: ${{ matrix.provider }}
selfManagedInfra: ${{ matrix.selfManagedInfra == 'true' }}
clusterCreation: ${{ matrix.clusterCreation }}
e2e-upgrade:
strategy:

12
.github/workflows/e2e-test.yml vendored
View File

@ -112,10 +112,10 @@ on:
description: "Enable internal load balancer for the cluster."
type: boolean
default: false
selfManagedInfra:
description: "Use self-managed infrastructure."
type: boolean
default: false
clusterCreation:
description: "How to create infrastructure for the e2e test. One of [cli, self-managed, terraform]."
type: string
default: "cli"
marketplaceImageVersion:
description: "Marketplace image version to use."
type: string
@ -241,7 +241,7 @@ jobs:
cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
fetchMeasurements: ${{ contains(needs.find-latest-image.outputs.image, '/stream/stable/') }}
internalLoadBalancer: ${{ inputs.internalLoadBalancer }}
selfManagedInfra: ${{ inputs.selfManagedInfra }}
clusterCreation: ${{ inputs.clusterCreation }}
s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
@ -252,7 +252,7 @@ jobs:
uses: ./.github/actions/constellation_destroy
with:
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
selfManagedInfra: ${{ inputs.selfManagedInfra }}
clusterCreation: ${{ inputs.clusterCreation }}
cloudProvider: ${{ inputs.cloudProvider }}
azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"

4
.github/workflows/e2e-upgrade.yml vendored
View File

@ -182,7 +182,7 @@ jobs:
awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
selfManagedInfra: "false"
clusterCreation: "cli"
- name: Build CLI
uses: ./.github/actions/build_cli
@ -288,7 +288,7 @@ jobs:
uses: ./.github/actions/constellation_destroy
with:
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
selfManagedInfra: "false"
clusterCreation: "cli"
cloudProvider: ${{ inputs.cloudProvider }}
azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"

2
debugd/internal/debugd/logcollector/fields.go
View File

@ -35,7 +35,7 @@ var (
"github.e2e-test-provider": {},
"github.ref-stream": {},
"github.kubernetes-version": {},
"github.self-managed-infra": {},
"github.cluster-creation": {},
"deployment-type": {}, // deployment type, e.g. "debugd", "k8s"
}
)

1
terraform-provider-constellation/docs/data-sources/attestation.md
View File

@ -36,6 +36,7 @@ See the [full list of CSPs](https://docs.edgeless.systems/constellation/overview
### Optional
- `image_version` (String) The image version to use. If not set, the provider version value is used.
- `insecure` (Boolean) DON'T USE IN PRODUCTION Skip the signature verification when fetching measurements for the image.
- `maa_url` (String) For Azure only, the URL of the Microsoft Azure Attestation service
### Read-Only

9
terraform-provider-constellation/internal/provider/attestation_data_source.go
View File

@ -47,6 +47,7 @@ type AttestationDataSourceModel struct {
AttestationVariant types.String `tfsdk:"attestation_variant"`
ImageVersion types.String `tfsdk:"image_version"`
MaaURL types.String `tfsdk:"maa_url"`
Insecure types.Bool `tfsdk:"insecure"`
Attestation types.Object `tfsdk:"attestation"`
}
@ -97,6 +98,10 @@ func (d *AttestationDataSource) Schema(_ context.Context, _ datasource.SchemaReq
MarkdownDescription: "For Azure only, the URL of the Microsoft Azure Attestation service",
Optional: true,
},
"insecure": schema.BoolAttribute{
MarkdownDescription: "DON'T USE IN PRODUCTION Skip the signature verification when fetching measurements for the image.",
Optional: true,
},
"attestation": newAttestationConfigAttribute(attributeOutput),
},
}
@ -154,6 +159,8 @@ func (d *AttestationDataSource) Read(ctx context.Context, req datasource.ReadReq
return
}
insecureFetch := data.Insecure.ValueBool()
snpVersions := attestationconfigapi.SEVSNPVersionAPI{}
if attestationVariant.Equal(variant.AzureSEVSNP{}) || attestationVariant.Equal(variant.AWSSEVSNP{}) {
snpVersions, err = d.fetcher.FetchSEVSNPVersionLatest(ctx, attestationVariant)
@ -174,7 +181,7 @@ func (d *AttestationDataSource) Read(ctx context.Context, req datasource.ReadReq
imageVersion = d.version // Use provider version as default.
}
fetchedMeasurements, err := verifyFetcher.FetchAndVerifyMeasurements(ctx, imageVersion,
csp, attestationVariant, false)
csp, attestationVariant, insecureFetch)
if err != nil {
var rekErr *measurements.RekorError
if errors.As(err, &rekErr) {