diff --git a/.github/actions/cdbg_deploy/action.yml b/.github/actions/cdbg_deploy/action.yml index ca894407f..d2c7f4140 100644 --- a/.github/actions/cdbg_deploy/action.yml +++ b/.github/actions/cdbg_deploy/action.yml @@ -20,9 +20,9 @@ inputs: refStream: description: "The refStream of the image the test runs on." required: true - selfManagedInfra: - description: "Use self-managed infrastructure instead of infrastructure created by the Constellation CLI." - default: "false" + clusterCreation: + description: "How the infrastructure for the e2e test was created. One of [cli, self-managed, terraform]." + default: "cli" runs: using: "composite" @@ -97,7 +97,7 @@ runs: --info logcollect.github.is-debug-cluster=false \ --info logcollect.github.ref-stream="${{ inputs.refStream }}" \ --info logcollect.github.kubernetes-version="${{ inputs.kubernetesVersion }}" \ - --info logcollect.github.self-managed-infra="${{ inputs.selfManagedInfra }}" \ + --info logcollect.github.cluster-creation="${{ inputs.clusterCreation }}" \ --info logcollect.deployment-type="debugd" \ --verbosity=-1 \ --force diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml index 3c2c19583..6e72455fe 100644 --- a/.github/actions/constellation_create/action.yml +++ b/.github/actions/constellation_create/action.yml @@ -50,9 +50,9 @@ inputs: internalLoadBalancer: description: "Whether to use an internal load balancer for the control plane" required: false - selfManagedInfra: - description: "Use self-managed infrastructure instead of infrastructure created by the Constellation CLI." - required: true + clusterCreation: + description: "How to create infrastructure for the e2e test. One of [cli, self-managed, terraform]." + default: "cli" marketplaceImageVersion: description: "Marketplace OS image version. Used instead of osImage." required: false @@ -63,7 +63,7 @@ inputs: outputs: kubeconfig: description: "The kubeconfig for the cluster." - value: ${{ steps.constellation-init.outputs.KUBECONFIG }} + value: ${{ steps.get-kubeconfig.outputs.KUBECONFIG }} osImageUsed: description: "The OS image used in the cluster." value: ${{ steps.setImage.outputs.image }} @@ -148,7 +148,7 @@ runs: sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts' || true - name: Constellation create (CLI) - if : inputs.selfManagedInfra != 'true' + if : inputs.clusterCreation != 'self-managed' shell: bash run: | # TODO(v2.14): Remove workaround for CLIs not supporting apply command @@ -159,7 +159,7 @@ runs: constellation $cmd -y --debug --tf-log=DEBUG - name: Constellation create (self-managed) - if : inputs.selfManagedInfra == 'true' + if : inputs.clusterCreation == 'self-managed' uses: ./.github/actions/self_managed_create with: cloudProvider: ${{ inputs.cloudProvider }} @@ -174,7 +174,7 @@ runs: azureIAMCreateCredentials: ${{ inputs.azureIAMCreateCredentials }} refStream: ${{ inputs.refStream }} kubernetesVersion: ${{ inputs.kubernetesVersion }} - selfManagedInfra: ${{ inputs.selfManagedInfra }} + clusterCreation: ${{ inputs.clusterCreation }} - name: Set force flag id: set-force-flag @@ -183,17 +183,30 @@ runs: run: | echo "flag=--force" | tee -a $GITHUB_OUTPUT - - name: Constellation init - id: constellation-init + - name: Constellation apply (Terraform) + id: constellation-apply-terraform + if: inputs.clusterCreation == 'terraform' + uses: ./.github/actions/terraform_apply + with: + cloudProvider: ${{ inputs.cloudProvider }} + + - name: Constellation apply + id: constellation-apply-cli + if: inputs.clusterCreation != 'terraform' shell: bash run: | constellation apply --skip-phases=infrastructure --debug ${{ steps.set-force-flag.outputs.flag }} + + - name: Get kubeconfig + id: get-kubeconfig + shell: bash + run: | echo "KUBECONFIG=$(pwd)/constellation-admin.conf" | tee -a $GITHUB_OUTPUT - name: Wait for nodes to join and become ready shell: bash env: - KUBECONFIG: "${{ steps.constellation-init.outputs.KUBECONFIG }}" + KUBECONFIG: "${{ steps.get-kubeconfig.outputs.KUBECONFIG }}" JOINTIMEOUT: "1200" # 20 minutes timeout for all nodes to join run: | echo "::group::Wait for nodes" diff --git a/.github/actions/constellation_destroy/action.yml b/.github/actions/constellation_destroy/action.yml index 1cd89d0f6..0d56fd89d 100644 --- a/.github/actions/constellation_destroy/action.yml +++ b/.github/actions/constellation_destroy/action.yml @@ -5,9 +5,9 @@ inputs: kubeconfig: description: "The kubeconfig for the cluster." required: true - selfManagedInfra: - description: "Use self-managed infrastructure instead of infrastructure created by the Constellation CLI." - required: true + clusterCreation: + description: "How the infrastructure for the e2e test was created. One of [cli, self-managed, terraform]." + default: "cli" gcpClusterDeleteServiceAccount: description: "Service account with permissions to delete a Constellation cluster on GCP." required: true @@ -72,13 +72,13 @@ runs: azure_credentials: ${{ inputs.azureClusterDeleteCredentials }} - name: Constellation terminate - if: inputs.selfManagedInfra != 'true' + if: inputs.clusterCreation != 'self-managed' shell: bash run: | constellation terminate --yes --tf-log=DEBUG - name: Constellation terminate (self-managed) - if: inputs.selfManagedInfra == 'true' + if: inputs.clusterCreation == 'self-managed' shell: bash working-directory: ${{ github.workspace }}/e2e-infra run: | diff --git a/.github/actions/deploy_logcollection/action.yml b/.github/actions/deploy_logcollection/action.yml index b90912261..09b63886a 100644 --- a/.github/actions/deploy_logcollection/action.yml +++ b/.github/actions/deploy_logcollection/action.yml @@ -29,9 +29,9 @@ inputs: kubernetesVersion: description: "Kubernetes version of the cluster" required: false - selfManagedInfra: - description: "Use self-managed infrastructure instead of infrastructure created by the Constellation CLI." - default: "false" + clusterCreation: + description: "How the infrastructure for the e2e test was created. One of [cli, self-managed, terraform]." + default: "cli" runs: using: "composite" @@ -57,7 +57,7 @@ runs: --fields github.e2e-test-provider="${{ inputs.provider }}" \ --fields github.ref-stream="${{ inputs.refStream }}" \ --fields github.kubernetes-version="${{ inputs.kubernetesVersion }}" \ - --fields github.self-managed-infra="${{ inputs.selfManagedInfra }}" \ + --fields github.cluster-creation="${{ inputs.clusterCreation }}" \ --fields deployment-type="k8s" # Make sure that helm is installed diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml index 6dc1c0b38..fe8f29d5e 100644 --- a/.github/actions/e2e_test/action.yml +++ b/.github/actions/e2e_test/action.yml @@ -73,9 +73,9 @@ inputs: description: "Enable security policy for the cluster." internalLoadBalancer: description: "Enable internal load balancer for the cluster." - selfManagedInfra: - description: "Use self-managed infrastructure instead of infrastructure created by the Constellation CLI." - default: "false" + clusterCreation: + description: "How to create infrastructure for the e2e test. One of [cli, self-managed, terraform]." + default: "cli" s3AccessKey: description: "Access key for s3proxy" s3SecretKey: @@ -166,6 +166,28 @@ runs: # Do not spam license server from pipeline sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts' + - name: Build Terraform provider binary + if: inputs.clusterCreation == 'terraform' && inputs.cliVersion == '' + uses: ./.github/actions/build_tf_provider + with: + targetOS: ${{ steps.determine-build-target.outputs.hostOS }} + targetArch: ${{ steps.determine-build-target.outputs.hostArch }} + outputPath: "build/terraform-provider-constellation" + + - name: Move Terraform provider binary + if: inputs.clusterCreation == 'terraform' && inputs.cliVersion == '' + shell: bash + run: | + bazel build //bazel/settings:tag + + repository_root=$(git rev-parse --show-toplevel) + out_rel=$(bazel cquery --output=files //bazel/settings:tag) + build_version=$(cat "$(realpath "${repository_root}/${out_rel}")") + + terraform_provider_dir="${HOME}/.terraform.d/plugins/registry.terraform.io/edgelesssys/constellation/${build_version#v}/${{ steps.determine-build-target.outputs.hostOS }}_${{ steps.determine-build-target.outputs.hostArch }}/" + mkdir -p "${terraform_provider_dir}" + mv build/terraform-provider-constellation "${terraform_provider_dir}/terraform-provider-constellation_${build_version}" + - name: Build the bootstrapper id: build-bootstrapper if: inputs.isDebugImage == 'true' @@ -271,7 +293,7 @@ runs: refStream: ${{ inputs.refStream }} internalLoadBalancer: ${{ inputs.internalLoadBalancer }} test: ${{ inputs.test }} - selfManagedInfra: ${{ inputs.selfManagedInfra }} + clusterCreation: ${{ inputs.clusterCreation }} marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }} force: ${{ inputs.force }} @@ -288,7 +310,7 @@ runs: isDebugImage: ${{ inputs.isDebugImage }} kubernetesVersion: ${{ inputs.kubernetesVersion }} refStream: ${{ inputs.refStream }} - selfManagedInfra: ${{ inputs.selfManagedInfra }} + clusterCreation: ${{ inputs.clusterCreation }} # # Test payloads diff --git a/.github/actions/notify_e2e_failure/action.yml b/.github/actions/notify_e2e_failure/action.yml index a8e481600..fa8b6cb51 100644 --- a/.github/actions/notify_e2e_failure/action.yml +++ b/.github/actions/notify_e2e_failure/action.yml @@ -17,8 +17,8 @@ inputs: kubernetesVersion: description: "Kubernetes version" required: false - selfManagedInfra: - description: "Use self-managed infrastructure instead of infrastructure created by the Constellation CLI." + clusterCreation: + description: "How the infrastructure for the e2e test was created. One of [cli, self-managed, terraform]." default: "false" runs: @@ -66,6 +66,7 @@ runs: workflow: ${{ github.workflow }} kubernetesVersion: ${{ inputs.kubernetesVersion }} cloudProvider: ${{ inputs.provider }} + clusterCreation: ${{ inputs.clusterCreation }} test: ${{ inputs.test }} refStream: ${{ inputs.refStream }} token: ${{ inputs.projectWriteToken }} diff --git a/.github/actions/terraform_apply/action.yml b/.github/actions/terraform_apply/action.yml new file mode 100644 index 000000000..c5adfed66 --- /dev/null +++ b/.github/actions/terraform_apply/action.yml @@ -0,0 +1,157 @@ +name: Terraform provider apply +description: "Create/Apply a Constellation cluster using the Terraform provider." + +inputs: + cloudProvider: + description: "The cloud provider the test runs on." + required: true + +runs: + using: "composite" + steps: + - name: Create Terraform file + shell: bash + run: | + attestationVariant="" + case "$(yq '.attestation | keys | .[0]' constellation-conf.yaml)" in + "awsSEVSNP") + attestationVariant="aws-sev-snp" + ;; + "azureSEVSNP") + attestationVariant="azure-sev-snp" + ;; + "gcpSEVES") + attestationVariant="gcp-sev-es" + ;; + *) + echo "Unknown attestation variant: $(yq '.attestation | keys | .[0]' constellation-conf.yaml)" + exit 1 + ;; + esac + + cat << EOF > main.tf + terraform { + required_providers { + constellation = { + source = "edgelesssys/constellation" + version = "$(yq '.microserviceVersion' constellation-conf.yaml | sed 's/^v//')" + } + random = { + source = "hashicorp/random" + version = "3.6.0" + } + } + } + + resource "random_bytes" "master_secret" { + length = 32 + } + + resource "random_bytes" "master_secret_salt" { + length = 32 + } + + resource "random_bytes" "measurement_salt" { + length = 32 + } + + data "constellation_attestation" "con_attestation" { + csp = "${{ inputs.cloudProvider }}" + attestation_variant = "${attestationVariant}" + image_version = "$(yq '.image' constellation-conf.yaml)" + maa_url = "$(yq '.infrastructure.azure.attestationURL' constellation-state.yaml)" + insecure = true + } + + data "constellation_image" "con_image" { + image_version = "$(yq '.image' constellation-conf.yaml)" + attestation_variant = "${attestationVariant}" + csp = "${{ inputs.cloudProvider }}" + region = "$(yq '.provider.aws.region' constellation-conf.yaml)" + } + + resource "constellation_cluster" "cluster" { + csp = "${{ inputs.cloudProvider }}" + constellation_microservice_version = "$(yq '.microserviceVersion' constellation-conf.yaml)" + name = "$(yq '.name' constellation-conf.yaml)" + uid = "$(yq '.infrastructure.uid' constellation-state.yaml)" + image_reference = data.constellation_image.con_image.reference + image_version = "$(yq '.microserviceVersion' constellation-conf.yaml)" + attestation = data.constellation_attestation.con_attestation.attestation + init_secret = "$(yq '.infrastructure.initSecret' constellation-state.yaml | xxd -r -p)" + master_secret = random_bytes.master_secret.hex + master_secret_salt = random_bytes.master_secret_salt.hex + measurement_salt = random_bytes.measurement_salt.hex + out_of_cluster_endpoint = "$(yq '.infrastructure.clusterEndpoint' constellation-state.yaml)" + in_cluster_endpoint = "$(yq '.infrastructure.inClusterEndpoint' constellation-state.yaml)" + azure = { + count = "$(yq '.provider | keys | .[0]' constellation-conf.yaml)" == "azure" ? 1 : 0 + tenant_id = "$(yq '.provider.azure.tenant' constellation-conf.yaml)" + subscription_id = "$(yq '.infrastructure.azure.subscriptionID' constellation-state.yaml)" + uami_client_id = "$(yq '.infrastructure.azure.userAssignedIdentity' constellation-state.yaml)" + uami_resource_id = "$(yq '.provider.azure.userAssignedIdentity' constellation-conf.yaml)" + location = "$(yq '.provider.azure.location' constellation-conf.yaml)" + resource_group = "$(yq '.infrastructure.azure.resourceGroup' constellation-state.yaml)" + load_balancer_name = "$(yq '.infrastructure.azure.loadBalancerName' constellation-state.yaml)" + network_security_group_name = "$(yq '.infrastructure.azure.networkSecurityGroupName' constellation-state.yaml)" + } + gcp = { + count = "$(yq '.provider | keys | .[0]' constellation-conf.yaml)" == "gcp" ? 1 : 0 + project_id = "$(yq '.infrastructure.gcp.projectID' constellation-state.yaml)" + service_account_key = sensitive("$(cat $(yq '.provider.gcp.serviceAccountKeyPath' constellation-conf.yaml) | base64 -w0)") + } + network_config = { + ip_cidr_node = "$(yq '.infrastructure.ipCidrNode' constellation-state.yaml)" + ip_cidr_service = "$(yq '.serviceCIDR' constellation-conf.yaml)" + ip_cidr_pod = "$(yq '.infrastructure.gcp.ipCidrPod' constellation-state.yaml)" # This is null for everything but GCP + } + } + + output "master_secret" { + value = random_bytes.master_secret.base64 + sensitive = true + } + + output "master_secret_salt" { + value = random_bytes.master_secret_salt.base64 + sensitive = true + } + + output "measurement_salt" { + value = random_bytes.measurement_salt.hex + sensitive = true + } + + output "cluster_id" { + value = constellation_cluster.cluster.cluster_id + } + + output "owner_id" { + value = constellation_cluster.cluster.owner_id + } + + output "kubeconfig" { + value = constellation_cluster.cluster.kubeconfig + sensitive = true + } + EOF + + - name: Apply Terraform configuration + shell: bash + run: | + terraform init + terraform apply -auto-approve + + - name: Write output + shell: bash + run: | + terraform output -raw kubeconfig > "$(pwd)/constellation-admin.conf" + yq -i ".clusterValues.measurementSalt = $(terraform output measurement_salt)" constellation-state.yaml + yq -i ".clusterValues.clusterID = $(terraform output cluster_id)" constellation-state.yaml + yq -i ".clusterValues.ownerID = $(terraform output owner_id)" constellation-state.yaml + cat << EOF > constellation-mastersecret.json + { + "key": "$(terraform output -raw master_secret)", + "salt": "$(terraform output -raw master_secret_salt)" + } + EOF diff --git a/.github/workflows/e2e-test-daily.yml b/.github/workflows/e2e-test-daily.yml index f0ce3e41a..45efd049d 100644 --- a/.github/workflows/e2e-test-daily.yml +++ b/.github/workflows/e2e-test-daily.yml @@ -90,14 +90,14 @@ jobs: awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }} awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} - selfManagedInfra: "false" + clusterCreation: "cli" - name: Always terminate cluster if: always() uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - selfManagedInfra: "false" + clusterCreation: "cli" cloudProvider: ${{ matrix.provider }} azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com" @@ -123,7 +123,7 @@ jobs: test: ${{ matrix.test }} kubernetesVersion: ${{ matrix.kubernetesVersion }} provider: ${{ matrix.provider }} - selfManagedInfra: "false" + clusterCreation: "cli" e2e-mini: name: Run miniconstellation E2E test diff --git a/.github/workflows/e2e-test-release.yml b/.github/workflows/e2e-test-release.yml index 4b04f6655..e6a4977ee 100644 --- a/.github/workflows/e2e-test-release.yml +++ b/.github/workflows/e2e-test-release.yml @@ -49,107 +49,130 @@ jobs: provider: "gcp" kubernetes-version: "v1.28" runner: "ubuntu-22.04" + clusterCreation: "cli" - test: "sonobuoy full" provider: "azure" kubernetes-version: "v1.28" runner: "ubuntu-22.04" + clusterCreation: "cli" - test: "sonobuoy full" provider: "aws" kubernetes-version: "v1.28" runner: "ubuntu-22.04" + clusterCreation: "cli" - test: "sonobuoy full" provider: "gcp" kubernetes-version: "v1.27" runner: "ubuntu-22.04" + clusterCreation: "cli" - test: "sonobuoy full" provider: "azure" kubernetes-version: "v1.27" runner: "ubuntu-22.04" + clusterCreation: "cli" - test: "sonobuoy full" provider: "aws" kubernetes-version: "v1.27" runner: "ubuntu-22.04" + clusterCreation: "cli" - test: "sonobuoy full" provider: "gcp" kubernetes-version: "v1.26" runner: "ubuntu-22.04" + clusterCreation: "cli" - test: "sonobuoy full" provider: "azure" kubernetes-version: "v1.26" runner: "ubuntu-22.04" + clusterCreation: "cli" - test: "sonobuoy full" provider: "aws" kubernetes-version: "v1.26" runner: "ubuntu-22.04" + clusterCreation: "cli" # verify test on latest k8s version - test: "verify" provider: "gcp" kubernetes-version: "v1.28" runner: "ubuntu-22.04" + clusterCreation: "cli" - test: "verify" provider: "azure" kubernetes-version: "v1.28" runner: "ubuntu-22.04" + clusterCreation: "cli" - test: "verify" provider: "aws" kubernetes-version: "v1.28" runner: "ubuntu-22.04" + clusterCreation: "cli" # recover test on latest k8s version - test: "recover" provider: "gcp" kubernetes-version: "v1.28" runner: "ubuntu-22.04" + clusterCreation: "cli" - test: "recover" provider: "azure" kubernetes-version: "v1.28" runner: "ubuntu-22.04" + clusterCreation: "cli" - test: "recover" provider: "aws" kubernetes-version: "v1.28" runner: "ubuntu-22.04" + clusterCreation: "cli" # lb test on latest k8s version - test: "lb" provider: "gcp" kubernetes-version: "v1.28" runner: "ubuntu-22.04" + clusterCreation: "cli" - test: "lb" provider: "azure" kubernetes-version: "v1.28" runner: "ubuntu-22.04" + clusterCreation: "cli" - test: "lb" provider: "aws" kubernetes-version: "v1.28" runner: "ubuntu-22.04" + clusterCreation: "cli" # autoscaling test on latest k8s version - test: "autoscaling" provider: "gcp" kubernetes-version: "v1.28" runner: "ubuntu-22.04" + clusterCreation: "cli" - test: "autoscaling" provider: "azure" kubernetes-version: "v1.28" runner: "ubuntu-22.04" + clusterCreation: "cli" - test: "autoscaling" provider: "aws" kubernetes-version: "v1.28" runner: "ubuntu-22.04" + clusterCreation: "cli" # perf-bench test on latest k8s version, not supported on AWS - test: "perf-bench" provider: "gcp" kubernetes-version: "v1.28" runner: "ubuntu-22.04" + clusterCreation: "cli" - test: "perf-bench" provider: "azure" kubernetes-version: "v1.28" runner: "ubuntu-22.04" + clusterCreation: "cli" # self-managed infra test on latest k8s version # runs Sonobuoy full test @@ -157,17 +180,17 @@ jobs: provider: "gcp" kubernetes-version: "v1.28" runner: "ubuntu-22.04" - selfManagedInfra: "true" + clusterCreation: "self-managed" - test: "sonobuoy full" provider: "azure" kubernetes-version: "v1.28" runner: "ubuntu-22.04" - selfManagedInfra: "true" + clusterCreation: "self-managed" - test: "sonobuoy full" provider: "aws" kubernetes-version: "v1.28" runner: "ubuntu-22.04" - selfManagedInfra: "true" + clusterCreation: "self-managed" # s3proxy test on latest k8s version - test: "s3proxy" @@ -175,6 +198,7 @@ jobs: provider: "gcp" kubernetes-version: "v1.28" runner: "ubuntu-22.04" + clusterCreation: "cli" # # Tests on macOS runner @@ -189,6 +213,7 @@ jobs: provider: "gcp" kubernetes-version: "v1.28" runner: "macos-12" + clusterCreation: "cli" runs-on: ${{ matrix.runner }} permissions: id-token: write @@ -237,7 +262,7 @@ jobs: cosignPassword: ${{ secrets.COSIGN_PASSWORD }} cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }} githubToken: ${{ secrets.GITHUB_TOKEN }} - selfManagedInfra: ${{ matrix.selfManagedInfra == 'true' }} + clusterCreation: ${{ matrix.clusterCreation }} s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }} s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }} @@ -246,7 +271,7 @@ jobs: uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - selfManagedInfra: ${{ matrix.selfManagedInfra == 'true' }} + clusterCreation: ${{ matrix.clusterCreation }} cloudProvider: ${{ matrix.provider }} azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com" diff --git a/.github/workflows/e2e-test-self-managed.yml b/.github/workflows/e2e-test-self-managed.yml index 8f85f4a71..fbdabe2f5 100644 --- a/.github/workflows/e2e-test-self-managed.yml +++ b/.github/workflows/e2e-test-self-managed.yml @@ -85,4 +85,4 @@ jobs: machineType: ${{ inputs.machineType }} regionZone: ${{ inputs.regionZone }} git-ref: ${{ inputs.git-ref }} - selfManagedInfra: true + clusterCreation: "self-managed" diff --git a/.github/workflows/e2e-test-terraform-provider.yml b/.github/workflows/e2e-test-terraform-provider.yml new file mode 100644 index 000000000..7a3b80777 --- /dev/null +++ b/.github/workflows/e2e-test-terraform-provider.yml @@ -0,0 +1,88 @@ +name: e2e test Terraform provider + +on: + workflow_dispatch: + inputs: + nodeCount: + description: "Number of nodes to use in the cluster. Given in format `:`." + default: "3:2" + type: string + cloudProvider: + description: "Which cloud provider to use." + type: choice + options: + - "gcp" + - "azure" + - "aws" + default: "azure" + required: true + runner: + description: "Architecture of the runner that executes the CLI" + type: choice + options: + - "ubuntu-22.04" + - "macos-12" + default: "ubuntu-22.04" + test: + description: "The test to run." + type: choice + options: + - "sonobuoy quick" + - "sonobuoy full" + - "autoscaling" + - "lb" + - "perf-bench" + - "verify" + - "recover" + - "malicious join" + - "nop" + required: true + kubernetesVersion: + description: "Kubernetes version to create the cluster from." + default: "1.27" + required: true + releaseVersion: + description: "Version of a released provider to download. Leave empty to build the provider from the checked out ref." + type: string + default: "" + required: false + imageVersion: + description: "Full name of OS image (CSP independent image version UID). Leave empty for latest debug image on main." + type: string + default: "" + required: false + machineType: + description: "Override VM machine type. Leave as 'default' or empty to use the default VM type for the selected cloud provider." + type: string + default: "default" + required: false + regionZone: + description: "Region or zone to create the cluster in. Leave empty for default region/zone." + type: string + git-ref: + description: "Git ref to checkout." + type: string + default: "head" + required: false + +jobs: + e2e-test: + permissions: + id-token: write + checks: write + contents: read + packages: write + secrets: inherit + uses: ./.github/workflows/e2e-test.yml + with: + nodeCount: ${{ inputs.nodeCount }} + cloudProvider: ${{ inputs.cloudProvider }} + runner: ${{ inputs.runner }} + test: ${{ inputs.test }} + kubernetesVersion: ${{ inputs.kubernetesVersion }} + cliVersion: ${{ inputs.releaseVersion }} + imageVersion: ${{ inputs.imageVersion }} + machineType: ${{ inputs.machineType }} + regionZone: ${{ inputs.regionZone }} + git-ref: ${{ inputs.git-ref }} + clusterCreation: "terraform" diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml index 9be56d326..49541ad11 100644 --- a/.github/workflows/e2e-test-weekly.yml +++ b/.github/workflows/e2e-test-weekly.yml @@ -56,121 +56,147 @@ jobs: refStream: "ref/main/stream/debug/?" provider: "gcp" kubernetes-version: "v1.28" + clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" provider: "azure" kubernetes-version: "v1.28" + clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" provider: "aws" kubernetes-version: "v1.28" + clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" provider: "gcp" kubernetes-version: "v1.27" + clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" provider: "azure" kubernetes-version: "v1.27" + clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" provider: "aws" kubernetes-version: "v1.27" + clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" provider: "gcp" kubernetes-version: "v1.26" + clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" provider: "azure" kubernetes-version: "v1.26" + clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" provider: "aws" kubernetes-version: "v1.26" + clusterCreation: "cli" # verify test on latest k8s version - test: "verify" refStream: "ref/main/stream/debug/?" provider: "gcp" kubernetes-version: "v1.28" + clusterCreation: "cli" - test: "verify" refStream: "ref/main/stream/debug/?" provider: "azure" kubernetes-version: "v1.28" azureSNPEnforcementPolicy: "equal" # This run checks for unknown ID Key disgests. + clusterCreation: "cli" - test: "verify" provider: "aws" refStream: "ref/main/stream/debug/?" kubernetes-version: "v1.28" + clusterCreation: "cli" # recover test on latest k8s version - test: "recover" refStream: "ref/main/stream/debug/?" provider: "gcp" kubernetes-version: "v1.28" + clusterCreation: "cli" - test: "recover" refStream: "ref/main/stream/debug/?" provider: "azure" kubernetes-version: "v1.28" + clusterCreation: "cli" - test: "recover" refStream: "ref/main/stream/debug/?" provider: "aws" kubernetes-version: "v1.28" + clusterCreation: "cli" # lb test on latest k8s version - test: "lb" refStream: "ref/main/stream/debug/?" provider: "gcp" kubernetes-version: "v1.28" + clusterCreation: "cli" - test: "lb" refStream: "ref/main/stream/debug/?" provider: "azure" kubernetes-version: "v1.28" + clusterCreation: "cli" - test: "lb" refStream: "ref/main/stream/debug/?" provider: "aws" kubernetes-version: "v1.28" + clusterCreation: "cli" # autoscaling test on latest k8s version - test: "autoscaling" refStream: "ref/main/stream/debug/?" provider: "gcp" kubernetes-version: "v1.28" + clusterCreation: "cli" - test: "autoscaling" refStream: "ref/main/stream/debug/?" provider: "azure" kubernetes-version: "v1.28" + clusterCreation: "cli" - test: "autoscaling" refStream: "ref/main/stream/debug/?" provider: "aws" kubernetes-version: "v1.28" + clusterCreation: "cli" # perf-bench test on latest k8s version, not supported on AWS - test: "perf-bench" refStream: "ref/main/stream/debug/?" provider: "gcp" kubernetes-version: "v1.28" + clusterCreation: "cli" - test: "perf-bench" refStream: "ref/main/stream/debug/?" provider: "azure" kubernetes-version: "v1.28" + clusterCreation: "cli" # malicious join test on latest k8s version - test: "malicious join" refStream: "ref/main/stream/debug/?" provider: "gcp" kubernetes-version: "v1.28" + clusterCreation: "cli" - test: "malicious join" refStream: "ref/main/stream/debug/?" provider: "azure" kubernetes-version: "v1.28" + clusterCreation: "cli" - test: "malicious join" refStream: "ref/main/stream/debug/?" provider: "aws" kubernetes-version: "v1.28" + clusterCreation: "cli" # self-managed infra test on latest k8s version # with Sonobuoy full @@ -178,23 +204,40 @@ jobs: refStream: "ref/main/stream/debug/?" provider: "gcp" kubernetes-version: "v1.28" - selfManagedInfra: "true" + clusterCreation: "self-managed" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" provider: "azure" kubernetes-version: "v1.28" - selfManagedInfra: "true" + clusterCreation: "self-managed" - test: "sonobuoy full" provider: "aws" refStream: "ref/main/stream/debug/?" kubernetes-version: "v1.28" - selfManagedInfra: "true" + clusterCreation: "self-managed" + + - test: "sonobuoy full" + refStream: "ref/main/stream/debug/?" + provider: "gcp" + kubernetes-version: "v1.28" + clusterCreation: "terraform" + - test: "sonobuoy full" + refStream: "ref/main/stream/debug/?" + provider: "azure" + kubernetes-version: "v1.28" + clusterCreation: "terraform" + - test: "sonobuoy full" + refStream: "ref/main/stream/debug/?" + provider: "aws" + kubernetes-version: "v1.28" + clusterCreation: "terraform" # s3proxy test on latest k8s version - test: "s3proxy" refStream: "ref/main/stream/debug/?" provider: "gcp" kubernetes-version: "v1.28" + clusterCreation: "cli" # # Tests on release-stable refStream @@ -205,14 +248,17 @@ jobs: refStream: "ref/release/stream/stable/?" provider: "gcp" kubernetes-version: "v1.27" + clusterCreation: "cli" - test: "verify" refStream: "ref/release/stream/stable/?" provider: "azure" kubernetes-version: "v1.27" + clusterCreation: "cli" - test: "verify" refStream: "ref/release/stream/stable/?" provider: "aws" kubernetes-version: "v1.27" + clusterCreation: "cli" runs-on: ubuntu-22.04 permissions: @@ -256,7 +302,7 @@ jobs: cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }} fetchMeasurements: ${{ matrix.refStream != 'ref/release/stream/stable/?' }} azureSNPEnforcementPolicy: ${{ matrix.azureSNPEnforcementPolicy }} - selfManagedInfra: ${{ matrix.selfManagedInfra == 'true' }} + clusterCreation: ${{ matrix.clusterCreation }} s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }} s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }} @@ -265,7 +311,7 @@ jobs: uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - selfManagedInfra: ${{ matrix.selfManagedInfra == 'true' }} + clusterCreation: ${{ matrix.clusterCreation }} cloudProvider: ${{ matrix.provider }} azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com" @@ -291,7 +337,7 @@ jobs: test: ${{ matrix.test }} kubernetesVersion: ${{ matrix.kubernetes-version }} provider: ${{ matrix.provider }} - selfManagedInfra: ${{ matrix.selfManagedInfra == 'true' }} + clusterCreation: ${{ matrix.clusterCreation }} e2e-upgrade: strategy: diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index c3f86f0e7..c345926e2 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -112,10 +112,10 @@ on: description: "Enable internal load balancer for the cluster." type: boolean default: false - selfManagedInfra: - description: "Use self-managed infrastructure." - type: boolean - default: false + clusterCreation: + description: "How to create infrastructure for the e2e test. One of [cli, self-managed, terraform]." + type: string + default: "cli" marketplaceImageVersion: description: "Marketplace image version to use." type: string @@ -241,7 +241,7 @@ jobs: cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }} fetchMeasurements: ${{ contains(needs.find-latest-image.outputs.image, '/stream/stable/') }} internalLoadBalancer: ${{ inputs.internalLoadBalancer }} - selfManagedInfra: ${{ inputs.selfManagedInfra }} + clusterCreation: ${{ inputs.clusterCreation }} s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }} s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }} marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }} @@ -252,7 +252,7 @@ jobs: uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - selfManagedInfra: ${{ inputs.selfManagedInfra }} + clusterCreation: ${{ inputs.clusterCreation }} cloudProvider: ${{ inputs.cloudProvider }} azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com" diff --git a/.github/workflows/e2e-upgrade.yml b/.github/workflows/e2e-upgrade.yml index aa331ef98..e7374414e 100644 --- a/.github/workflows/e2e-upgrade.yml +++ b/.github/workflows/e2e-upgrade.yml @@ -182,7 +182,7 @@ jobs: awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }} awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} - selfManagedInfra: "false" + clusterCreation: "cli" - name: Build CLI uses: ./.github/actions/build_cli @@ -288,7 +288,7 @@ jobs: uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} - selfManagedInfra: "false" + clusterCreation: "cli" cloudProvider: ${{ inputs.cloudProvider }} azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com" diff --git a/debugd/internal/debugd/logcollector/fields.go b/debugd/internal/debugd/logcollector/fields.go index 86e5d5f96..08c3776d7 100644 --- a/debugd/internal/debugd/logcollector/fields.go +++ b/debugd/internal/debugd/logcollector/fields.go @@ -35,7 +35,7 @@ var ( "github.e2e-test-provider": {}, "github.ref-stream": {}, "github.kubernetes-version": {}, - "github.self-managed-infra": {}, + "github.cluster-creation": {}, "deployment-type": {}, // deployment type, e.g. "debugd", "k8s" } ) diff --git a/terraform-provider-constellation/docs/data-sources/attestation.md b/terraform-provider-constellation/docs/data-sources/attestation.md index 1655dce6e..40bbeeadb 100644 --- a/terraform-provider-constellation/docs/data-sources/attestation.md +++ b/terraform-provider-constellation/docs/data-sources/attestation.md @@ -36,6 +36,7 @@ See the [full list of CSPs](https://docs.edgeless.systems/constellation/overview ### Optional - `image_version` (String) The image version to use. If not set, the provider version value is used. +- `insecure` (Boolean) DON'T USE IN PRODUCTION Skip the signature verification when fetching measurements for the image. - `maa_url` (String) For Azure only, the URL of the Microsoft Azure Attestation service ### Read-Only diff --git a/terraform-provider-constellation/internal/provider/attestation_data_source.go b/terraform-provider-constellation/internal/provider/attestation_data_source.go index 181be292e..8d8e07646 100644 --- a/terraform-provider-constellation/internal/provider/attestation_data_source.go +++ b/terraform-provider-constellation/internal/provider/attestation_data_source.go @@ -47,6 +47,7 @@ type AttestationDataSourceModel struct { AttestationVariant types.String `tfsdk:"attestation_variant"` ImageVersion types.String `tfsdk:"image_version"` MaaURL types.String `tfsdk:"maa_url"` + Insecure types.Bool `tfsdk:"insecure"` Attestation types.Object `tfsdk:"attestation"` } @@ -97,6 +98,10 @@ func (d *AttestationDataSource) Schema(_ context.Context, _ datasource.SchemaReq MarkdownDescription: "For Azure only, the URL of the Microsoft Azure Attestation service", Optional: true, }, + "insecure": schema.BoolAttribute{ + MarkdownDescription: "DON'T USE IN PRODUCTION Skip the signature verification when fetching measurements for the image.", + Optional: true, + }, "attestation": newAttestationConfigAttribute(attributeOutput), }, } @@ -154,6 +159,8 @@ func (d *AttestationDataSource) Read(ctx context.Context, req datasource.ReadReq return } + insecureFetch := data.Insecure.ValueBool() + snpVersions := attestationconfigapi.SEVSNPVersionAPI{} if attestationVariant.Equal(variant.AzureSEVSNP{}) || attestationVariant.Equal(variant.AWSSEVSNP{}) { snpVersions, err = d.fetcher.FetchSEVSNPVersionLatest(ctx, attestationVariant) @@ -174,7 +181,7 @@ func (d *AttestationDataSource) Read(ctx context.Context, req datasource.ReadReq imageVersion = d.version // Use provider version as default. } fetchedMeasurements, err := verifyFetcher.FetchAndVerifyMeasurements(ctx, imageVersion, - csp, attestationVariant, false) + csp, attestationVariant, insecureFetch) if err != nil { var rekErr *measurements.RekorError if errors.As(err, &rekErr) {