diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml index aeaaadd64..41462241b 100644 --- a/.github/actions/constellation_create/action.yml +++ b/.github/actions/constellation_create/action.yml @@ -1,6 +1,6 @@ name: Constellation create description: | - Create a new Constellation cluster using latest CoreOS image. + Create a new Constellation cluster using latest OS image. inputs: workerNodesCount: description: "Number of worker nodes to spawn." @@ -17,11 +17,11 @@ inputs: machineType: description: "Machine type of VM to spawn." required: false - coreosImage: - description: "CoreOS image to use. The default value 'debug-latest' will select the latest available debug image." + osImage: + description: "OS image to use. The default value 'debug-latest' will select the latest available debug image." required: true isDebugImage: - description: "Is CoreOS img a debug img?" + description: "Is OS img a debug img?" required: true kubernetesVersion: description: "Kubernetes version to create the cluster from." @@ -74,23 +74,23 @@ runs: run: | case $CSP in azure) - if [ "${{ inputs.coreosImage == 'debug-latest' }}" = true ] + if [ "${{ inputs.osImage == 'debug-latest' }}" = true ] then IMAGE_DEFINITION=$(az sig image-definition list --resource-group constellation-images --gallery-name Constellation_Debug_CVM --query "[].name" -o tsv | sort --version-sort | tail -n 1) AZURE_IMAGE=$(az sig image-version list --resource-group constellation-images --gallery-name Constellation_Debug_CVM --gallery-image-definition ${IMAGE_DEFINITION} --query "sort_by([], &publishingProfile.publishedDate)[].id" -o table | tail -n 1) else - AZURE_IMAGE=${{ inputs.coreosImage }} + AZURE_IMAGE=${{ inputs.osImage }} fi yq eval -i "(.provider.azure.image) = \"${AZURE_IMAGE}\"" constellation-conf.yaml ;; gcp) - if [ "${{ inputs.coreosImage == 'debug-latest' }}" = true ] + if [ "${{ inputs.osImage == 'debug-latest' }}" = true ] then GCP_IMAGE_NAME=$(gcloud compute images list --project constellation-images --filter="name ~ constellation-\d{10} AND family~constellation-debug-v\d+-\d+-\d+" --sort-by=creationTimestamp --format="table(name)" | tail -n 1) GCP_IMAGE="projects/constellation-images/global/images/${GCP_IMAGE_NAME}" else - GCP_IMAGE=${{ inputs.coreosImage }} + GCP_IMAGE=${{ inputs.osImage }} fi yq eval -i "(.provider.gcp.image) = \"${GCP_IMAGE}\"" constellation-conf.yaml diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml index 8c7b5d865..652a5fb1c 100644 --- a/.github/actions/e2e_test/action.yml +++ b/.github/actions/e2e_test/action.yml @@ -13,12 +13,12 @@ inputs: machineType: description: "VM machine type. Make sure it matches selected cloud provider!" required: false - coreosImage: - description: "CoreOS image to run. The default value 'debug-latest' will select the latest available debug image." + osImage: + description: "OS image to run. The default value 'debug-latest' will select the latest available debug image." default: "debug-latest" required: true isDebugImage: - description: "Is CoreOS img a debug img?" + description: "Is OS img a debug img?" default: "true" required: true kubernetesVersion: @@ -93,7 +93,7 @@ runs: workerNodesCount: ${{ inputs.workerNodesCount }} controlNodesCount: ${{ inputs.controlNodesCount }} machineType: ${{ inputs.machineType }} - coreosImage: ${{ inputs.coreosImage }} + osImage: ${{ inputs.osImage }} isDebugImage: ${{ inputs.isDebugImage }} kubernetesVersion: ${{ inputs.kubernetesVersion }} azureClientSecret: ${{ inputs.azureClientSecret }} diff --git a/.github/actions/generate_measurements/action.yml b/.github/actions/generate_measurements/action.yml index dd8d62d18..21f05c077 100644 --- a/.github/actions/generate_measurements/action.yml +++ b/.github/actions/generate_measurements/action.yml @@ -4,11 +4,11 @@ inputs: cloudProvider: description: "Which cloud provider to use." required: true - coreosImage: - description: "CoreOS image to run. The default value 'debug-latest' will select the latest available debug image." + osImage: + description: "OS image to run. The default value 'debug-latest' will select the latest available debug image." required: true isDebugImage: - description: "Is CoreOS img a debug img?" + description: "Is OS img a debug img?" required: true workerNodesCount: description: "Number of worker nodes to spawn." @@ -87,7 +87,7 @@ runs: workerNodesCount: ${{ inputs.workerNodesCount }} controlNodesCount: ${{ inputs.controlNodesCount }} machineType: ${{ inputs.machineType }} - coreosImage: ${{ inputs.coreosImage }} + osImage: ${{ inputs.osImage }} isDebugImage: ${{ inputs.isDebugImage }} kubernetesVersion: ${{ inputs.kubernetesVersion }} azureClientSecret: ${{ inputs.azureClientSecret }} diff --git a/.github/docs/README.md b/.github/docs/README.md index d128fc74e..c4d802a69 100644 --- a/.github/docs/README.md +++ b/.github/docs/README.md @@ -107,7 +107,7 @@ For information on how to achieve this, refer to the [First steps](https://docs. ## Image versions -The [build-coreos](../workflows/build-coreos.yml) workflow can be used to trigger an image build. +The [build-os-image](../workflows/build-os-image.yml) workflow can be used to trigger an image build. The workflow can be used to build debug or release images. A debug image uses [`debugd`](../../debugd/) as its bootstrapper binary, while release images use the actual [`bootstrapper`](../../bootstrapper/) diff --git a/.github/docs/layout.md b/.github/docs/layout.md index ce1d09019..7ef135736 100644 --- a/.github/docs/layout.md +++ b/.github/docs/layout.md @@ -20,6 +20,5 @@ Development components: Additional repositories: -* [constellation-fedora-coreos-config](https://github.com/edgelesssys/constellation-fedora-coreos-config): CoreOS build configuration with changes for Constellation * [constellation-azuredisk-csi-driver](https://github.com/edgelesssys/constellation-azuredisk-csi-driver): Azure CSI driver with encryption on node * [constellation-gcp-compute-persistent-disk-csi-driver](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver): GCP CSI driver with encryption on node diff --git a/.github/docs/release.md b/.github/docs/release.md index 61a19cf20..4af7a297f 100644 --- a/.github/docs/release.md +++ b/.github/docs/release.md @@ -12,11 +12,8 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers # push upstream via PR ``` -3. On the [CoreOS config repo](https://github.com/edgelesssys/constellation-fedora-coreos-config), create two new branches `release/v1.3`, `stream/v1.3` (new minor version) or use the existing ones (new patch version). - The release branch contains the squashed changeset and is branched from main while the stream branch contains the rebased changesets on top of the latest upstream changes. - [Consult this guide on rebasing forks (INTERNAL)](https://github.com/edgelesssys/wiki/blob/master/documentation/rebasing_forks.md#managing-release-branches) on how to create those two branches. -4. Create a new branch `release/v1.3` (new minor version) or use the existing one (new patch version) -5. On this branch, prepare the following things: +3. Create a new branch `release/v1.3` (new minor version) or use the existing one (new patch version) +4. On this branch, prepare the following things: 1. (new patch version) `cherry-pick` (only) the required commits from `main` 2. Use [Build micro-service manual](https://github.com/edgelesssys/constellation/actions/workflows/build-micro-service-manual.yml) and run the pipeline once for each micro-service with the following parameters: * branch: `release/v1.3` @@ -55,10 +52,10 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers 2. Create a new block for unreleased changes 5. Update project version in [CMakeLists.txt](/CMakeLists.txt) to `1.3.0` (without v). 6. When the microservice builds are finished update versions in [versions.go](../../internal/versions/versions.go#L33-L39) to `v1.3.0`, **add the container hashes** and **push your changes**. - 7. Create a [production coreOS image](/.github/workflows/build-coreos.yml) + 7. Create a [production OS image](/.github/workflows/build-coreos.yml) ```sh - gh workflow run build-coreos.yml --ref release/v$minor -F debug=false -F coreOSConfigBranch=release/v$minor -F imageVersion=v$ver + gh workflow run build-os-image.yml --ref release/v$minor -F debug=false -F imageVersion=v$ver ``` 8. Update [default images in config](/internal/config/images_enterprise.go) @@ -66,17 +63,17 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers ```sh sono='--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml' - gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F sonobuoyTestSuiteCmd="$sono" -F coreosImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false - gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F sonobuoyTestSuiteCmd="$sono" -F coreosImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false - gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F sonobuoyTestSuiteCmd="$sono" -F coreosImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false - gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F sonobuoyTestSuiteCmd="$sono" -F coreosImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false + gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F sonobuoyTestSuiteCmd="$sono" -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false + gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F sonobuoyTestSuiteCmd="$sono" -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false + gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F sonobuoyTestSuiteCmd="$sono" -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false + gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F sonobuoyTestSuiteCmd="$sono" -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false ``` 10. [Generate measurements](/.github/workflows/generate-measurements.yml) for the images on each CSP. ```sh - gh workflow run generate-measurements.yml --ref release/v$minor -F cloudProvider=azure -F coreosImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false - gh workflow run generate-measurements.yml --ref release/v$minor -F cloudProvider=gcp -F coreosImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false + gh workflow run generate-measurements.yml --ref release/v$minor -F cloudProvider=azure -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false + gh workflow run generate-measurements.yml --ref release/v$minor -F cloudProvider=gcp -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false ``` 11. Create a new tag on this release branch @@ -92,14 +89,14 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers ``` * The previous step will create a draft release. Check build output for link to draft release. Review & approve. -6. Follow [export flow (INTERNAL)](https://github.com/edgelesssys/wiki/blob/master/documentation/constellation/customer-onboarding.md#manual-export-and-import) to make image available in S3 for trusted launch users. -7. To bring updated version numbers and other changes (if any) to main, create a new branch `feat/release` from `release/v1.3`, rebase it onto main, and create a PR to main -8. Milestones management +5. Follow [export flow (INTERNAL)](https://github.com/edgelesssys/wiki/blob/master/documentation/constellation/customer-onboarding.md#manual-export-and-import) to make image available in S3 for trusted launch users. +6. To bring updated version numbers and other changes (if any) to main, create a new branch `feat/release` from `release/v1.3`, rebase it onto main, and create a PR to main +7. Milestones management 1. Create a new milestone for the next release 2. Add the next release manager and an approximate release date to the milestone description 3. Close the milestone for the release 4. Move open issues and PRs from closed milestone to next milestone -9. If the release is a minor version release, create an empty commit on main and tag it as the start of the next pre-release phase. +8. If the release is a minor version release, create an empty commit on main and tag it as the start of the next pre-release phase. ```sh nextMinorVer=$(echo $ver | awk -F. -v OFS=. '{$2 += 1 ; print}') git checkout main diff --git a/.github/runners/gcp-nested-virt/README.md b/.github/runners/gcp-nested-virt/README.md deleted file mode 100644 index 67717b01a..000000000 --- a/.github/runners/gcp-nested-virt/README.md +++ /dev/null @@ -1,6 +0,0 @@ -This folder contains a template for deploying a builder for CoreOS on GCP. - -## Manually start a builder instance -``` -gcloud compute instances create coreos-builder --enable-nested-virtualization --zone=us-central1-c --boot-disk-size 64GB --machine-type=n2-highmem-4 --image-project="ubuntu-os-cloud" --image="ubuntu-2110-impish-v20220118" --metadata-from-file=user-data=cloud-init.txt -``` diff --git a/.github/runners/gcp-nested-virt/cloud-init.txt b/.github/runners/gcp-nested-virt/cloud-init.txt deleted file mode 100644 index 0c5ae37ae..000000000 --- a/.github/runners/gcp-nested-virt/cloud-init.txt +++ /dev/null @@ -1,37 +0,0 @@ -#cloud-config - -users: - - default - - name: github-actions-runner-user - groups: docker - sudo: ALL=(ALL) NOPASSWD:ALL - homedir: /home/github-actions-runner-user - -package_update: true -packages: - - git - - cryptsetup - - build-essential - - libguestfs-tools - - ca-certificates - - curl - - gnupg - - lsb-release - - jq - - pv - -runcmd: - - [sudo, chmod, "+r", "/boot/vmlinuz*"] - - [/bin/bash, -c, "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg"] - - [/bin/bash, -c, "echo \"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable\" | tee /etc/apt/sources.list.d/docker.list > /dev/null "] - - [apt-get, update] - - [apt-get, install, -y, docker-ce, docker-ce-cli, containerd.io, libssl-dev, pigz] - - [chmod, 666, /dev/kvm] - - [mkdir, -p, /actions-runner] - - [curl, -o, "/actions-runner/actions-runner-linux-x64-2.286.1.tar.gz", -L, "https://github.com/actions/runner/releases/download/v2.286.1/actions-runner-linux-x64-2.286.1.tar.gz"] - - [/bin/bash, -c, "cd /actions-runner && tar xzf /actions-runner/actions-runner-linux-x64-2.286.1.tar.gz"] - - [sed, -i, "s:# insert anything to setup env when running as a service:export HOME=/home/github-actions-runner-user:", runsvc.sh] - - [chown, -R, github-actions-runner-user:github-actions-runner-user, /actions-runner] - - [sudo, -u, github-actions-runner-user, /bin/bash, -c, "cd /actions-runner && /actions-runner/config.sh --url https://github.com/edgelesssys/constellation --ephemeral --labels nested-virt --replace --unattended --token $(curl -u api:$(gcloud secrets versions access latest --secret=constellation-images-coreos-builder-github-token) -X POST -H 'Accept: application/vnd.github.v3+json' https://api.github.com/repos/edgelesssys/constellation/actions/runners/registration-token | jq -r .token)"] - - [/bin/bash, -c, "cd /actions-runner && ./svc.sh install"] - - [/bin/bash, -c, "systemctl enable --now actions.runner.edgelesssys-constellation.$(hostname).service"] diff --git a/.github/runners/gcp-nested-virt/google-cloud-function.py b/.github/runners/gcp-nested-virt/google-cloud-function.py deleted file mode 100644 index 8a15f607f..000000000 --- a/.github/runners/gcp-nested-virt/google-cloud-function.py +++ /dev/null @@ -1,205 +0,0 @@ -import os -import sys -import re -import hmac -import hashlib -import random -import string -import google.cloud.compute_v1 as compute_v1 - -LABEL="nested-virt" -AUTH_TOKEN_ENV="COREOS_BUILDER_WORKFLOW_FUNCTION_TOKEN" -SA_EMAIL="constellation-cos-builder@constellation-331613.iam.gserviceaccount.com" -SA_SCOPES=[ - "https://www.googleapis.com/auth/compute", - "https://www.googleapis.com/auth/servicecontrol", - "https://www.googleapis.com/auth/cloud-platform", -] - -def workflow_job(request): - """Responds to https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_job - Args: - request (flask.Request): HTTP request object. - Returns: - The response text or any set of values that can be turned into a - Response object using - `make_response `. - """ - allow, reason = authorize(request) - if not allow: - return f'unauthorized: {reason}' - request_json = request.get_json() - if request_json and 'action' in request_json: - if request_json['action'] == 'queued': - return job_queued(request_json['workflow_job']) - elif request_json['action'] == 'completed': - return job_completed(request_json['workflow_job']) - elif request_json['action'] == 'in_progress': - return f'nothing to do here' - else: - return f'invalid message format' - -def authorize(request) -> (bool, str) : - correct_token = os.environ.get(AUTH_TOKEN_ENV) - if correct_token is None: - return False, 'correct token not set' - correct_hmac = 'sha256=' + hmac.new(correct_token.encode('utf-8'), request.get_data(), hashlib.sha256).hexdigest() - request_hmac = request.headers.get('X-Hub-Signature-256') - if request_hmac is None: - return False, 'X-Hub-Signature-256 not set' - if correct_hmac == request_hmac: - return True, '' - else: - return False, f'X-Hub-Signature-256 incorrect' - - -def job_queued(workflow_job) -> str: - if not LABEL in workflow_job['labels']: - return f'unexpected job labels: {workflow_job["labels"]}' - cloud_init = generate_cloud_init() - instance_uid = ''.join(random.choice(string.ascii_lowercase + string.digits) for i in range(6)) - try: - create_instance(metadata={'user-data': cloud_init}, instance_name=f'coreos-builder-{instance_uid}') - except Exception as e: - return f'creating instance failed: {e}' - return 'success' - -def job_completed(workflow_job) -> str: - if not LABEL in workflow_job['labels']: - return f'unexpected job labels: {workflow_job["labels"]}' - instance_name = workflow_job["runner_name"] - try: - delete_instance(machine_name=instance_name) - except Exception as e: - return f'deleting instance failed: {e}' - return 'success' - -def generate_cloud_init() -> str: - with open("cloud-init.txt", "r") as f: - cloud_init = f.read() - return cloud_init - -def create_instance( - metadata: dict[str, str], - project_id: str = 'constellation-331613', - zone: str = 'us-central1-c', - instance_name: str = 'coreos-builder', - machine_type: str = "n2-highmem-4", - source_image: str = "projects/ubuntu-os-cloud/global/images/family/ubuntu-2004-lts", - network_name: str = "global/networks/default", - disk_size_gb: int = 64, - enable_nested_virtualization: bool = True, - service_accounts: list[compute_v1.ServiceAccount] = [compute_v1.ServiceAccount(email=SA_EMAIL, scopes=SA_SCOPES)], -) -> compute_v1.Instance: - """ - Send an instance creation request to the Compute Engine API and wait for it to complete. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - zone: name of the zone you want to use. For example: “us-west3-b” - instance_name: name of the new virtual machine. - machine_type: machine type of the VM being created. This value uses the - following format: "zones/{zone}/machineTypes/{type_name}". - For example: "zones/europe-west3-c/machineTypes/f1-micro" - source_image: path to the operating system image to mount on your boot - disk. This can be one of the public images - (like "projects/debian-cloud/global/images/family/debian-10") - or a private image you have access to. - network_name: name of the network you want the new instance to use. - For example: "global/networks/default" represents the `default` - network interface, which is created automatically for each project. - Returns: - Instance object. - """ - instance_client = compute_v1.InstancesClient() - operation_client = compute_v1.ZoneOperationsClient() - - # Describe the size and source image of the boot disk to attach to the instance. - disk = compute_v1.AttachedDisk() - initialize_params = compute_v1.AttachedDiskInitializeParams() - initialize_params.source_image = ( - source_image - ) - initialize_params.disk_size_gb = disk_size_gb - disk.initialize_params = initialize_params - disk.auto_delete = True - disk.boot = True - disk.type_ = "PERSISTENT" - - # Use the network interface provided in the network_name argument. - network_interface = compute_v1.NetworkInterface() - network_interface.name = network_name - network_interface.access_configs = [compute_v1.AccessConfig()] - - # Collect information into the Instance object. - instance = compute_v1.Instance() - instance.name = instance_name - instance.disks = [disk] - if re.match(r"^zones/[a-z\d\-]+/machineTypes/[a-z\d\-]+$", machine_type): - instance.machine_type = machine_type - else: - instance.machine_type = f"zones/{zone}/machineTypes/{machine_type}" - instance.network_interfaces = [network_interface] - - # Enable nested virtualization if requested - advanced_machine_features = compute_v1.AdvancedMachineFeatures() - advanced_machine_features.enable_nested_virtualization = enable_nested_virtualization - instance.advanced_machine_features = advanced_machine_features - - metadata_items = [compute_v1.Items(key=k, value=v) for k, v in metadata.items()] - metadata = compute_v1.Metadata(items=metadata_items) - instance.metadata = metadata - - # set service accounts. - instance.service_accounts = service_accounts - - # Prepare the request to insert an instance. - request = compute_v1.InsertInstanceRequest() - request.zone = zone - request.project = project_id - request.instance_resource = instance - - # Wait for the create operation to complete. - print(f"Creating the {instance_name} instance in {zone}...") - operation = instance_client.insert_unary(request=request) - while operation.status != compute_v1.Operation.Status.DONE: - operation = operation_client.wait( - operation=operation.name, zone=zone, project=project_id - ) - if operation.error: - print("Error during creation:", operation.error, file=sys.stderr) - if operation.warnings: - print("Warning during creation:", operation.warnings, file=sys.stderr) - print(f"Instance {instance_name} created.") - return instance - -def delete_instance( - project_id: str = 'constellation-331613', - zone: str = 'us-central1-c', - machine_name: str = 'coreos-builder', - ) -> None: - """ - Send an instance deletion request to the Compute Engine API and wait for it to complete. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - zone: name of the zone you want to use. For example: “us-west3-b” - machine_name: name of the machine you want to delete. - """ - instance_client = compute_v1.InstancesClient() - operation_client = compute_v1.ZoneOperationsClient() - - print(f"Deleting {machine_name} from {zone}...") - operation = instance_client.delete_unary( - project=project_id, zone=zone, instance=machine_name - ) - while operation.status != compute_v1.Operation.Status.DONE: - operation = operation_client.wait( - operation=operation.name, zone=zone, project=project_id - ) - if operation.error: - print("Error during deletion:", operation.error, file=sys.stderr) - if operation.warnings: - print("Warning during deletion:", operation.warnings, file=sys.stderr) - print(f"Instance {machine_name} deleted.") - return diff --git a/.github/workflows/build-coreos.yml b/.github/workflows/build-coreos.yml deleted file mode 100644 index affd92820..000000000 --- a/.github/workflows/build-coreos.yml +++ /dev/null @@ -1,136 +0,0 @@ -name: Build and Upload CoreOS image -on: - workflow_dispatch: - inputs: - coreOSConfigBranch: - description: "Branch of CoreOS config repo to build from" - default: "main" - required: false - imageVersion: - description: "Semantic version including patch e.g. v.. (only used for releases)" - required: false - debug: - description: "Build debug image" - type: boolean - default: false - required: false - -jobs: - build-coreos-image: - name: "Build CoreOS using customized COSA" - runs-on: [self-hosted, linux, nested-virt] - permissions: - contents: read - packages: read - env: - SHELL: /bin/bash - steps: - - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0 - with: - submodules: recursive - token: ${{ secrets.CI_GITHUB_REPOSITORY }} - - - name: Install build packages - id: install-packages - uses: ./.github/actions/setup_linux - - - name: Setup Go environment - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1 - with: - go-version: "1.19.2" - - - name: Build bootstrapper - if: ${{ inputs.debug == false }} - uses: ./.github/actions/build_bootstrapper - with: - outputPath: ${{ github.workspace }}/build/bootstrapper - - - name: Build debugd - if: ${{ inputs.debug == true }} - uses: ./.github/actions/build_debugd - with: - outputPath: ${{ github.workspace }}/build/bootstrapper - - - name: Build disk-mapper - uses: ./.github/actions/build_disk_mapper - with: - outputPath: ${{ github.workspace }}/build/disk-mapper - - - name: Determine version - id: version - uses: ./.github/actions/pseudo_version - - - name: Log in to the Container registry - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Install AzCopy - shell: bash - run: | - wget -q https://aka.ms/downloadazcopy-v10-linux -O azcopy.tar.gz - tar --strip-components 1 -xf azcopy.tar.gz - rm azcopy.tar.gz - echo "$(pwd)" >> $GITHUB_PATH - - - name: Login to Azure - uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # tag=v1.4.6 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - - name: Store GH token to be mounted by cosa - shell: bash - run: echo "machine github.com login api password ${{ secrets.CI_GITHUB_REPOSITORY }}" > /tmp/.netrc - - # Make sure to set valid names for GCP and Azure - # Azure - # gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character - # image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character - # image version has to be semantic version in the form .. . uint may not be larger than 2,147,483,647 - # - # GCP - # image family and image name may include lowercase alphanumeric characters and dashes. Must not end or begin with a dash - - name: Configure input variables - shell: bash - run: | - timestamp=${{ steps.version.outputs.timestamp }} - semver=${{ steps.version.outputs.semanticVersion }} - imageVersion=${{ inputs.imageVersion }} - pseudover=${{ steps.version.outputs.pseudoVersion }} - echo "azureImageName=constellation-${pseudover//./-}" >> $GITHUB_ENV - if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ] - then - echo "gcpImageName=constellation-${imageVersion//./-}" >> $GITHUB_ENV - echo "gcpImageFamily=constellation" >> $GITHUB_ENV - echo "azureGalleryName=Constellation" >> $GITHUB_ENV - echo "azureImageDefinition=constellation" >> $GITHUB_ENV - echo "azureImageVersion=${imageVersion:1}" >> $GITHUB_ENV - elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ] - then - echo "gcpImageName=constellation-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV - echo "gcpImageFamily=constellation-debug-${semver//./-}" >> $GITHUB_ENV - echo "azureGalleryName=Constellation_Debug" >> $GITHUB_ENV - echo "azureImageDefinition=${semver}" >> $GITHUB_ENV - echo "azureImageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV - else - echo "gcpImageName=constellation-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV - echo "gcpImageFamily=constellation-${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV - echo "azureGalleryName=Constellation_Testing" >> $GITHUB_ENV - echo "azureImageDefinition=${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV - echo "azureImageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV - fi - - - name: Build and Upload - id: build-and-upload - shell: bash - run: | - make cosa-image - make -j$(nproc) CONTAINER_ENGINE=docker NETRC=/tmp/.netrc \ - COSA_INIT_BRANCH="${{ inputs.coreOSConfigBranch }}" \ - GCP_IMAGE_NAME="${{ env.gcpImageName }}" GCP_IMAGE_FAMILY="${{ env.gcpImageFamily }}" \ - AZURE_IMAGE_DEFINITION="${{ env.azureImageDefinition }}" AZURE_IMAGE_VERSION="${{ env.azureImageVersion }}" AZURE_GALLERY_NAME="${{ env.azureGalleryName }}" AZURE_IMAGE_NAME="${{ env.azureImageName }}"\ - image-gcp image-azure upload-gcp upload-azure - working-directory: ${{ github.workspace }}/image diff --git a/.github/workflows/e2e-test-manual-macos.yml b/.github/workflows/e2e-test-manual-macos.yml index ece2d9fbe..a97ab3b69 100644 --- a/.github/workflows/e2e-test-manual-macos.yml +++ b/.github/workflows/e2e-test-manual-macos.yml @@ -27,13 +27,13 @@ on: description: "Kubernetes version to create the cluster from." default: "1.24" required: true - coreosImage: - description: "CoreOS image (full path). Examples are in internal/config/config.go." + osImage: + description: "OS image (full path). Examples are in internal/config/config.go." default: "debug-latest" type: string required: true isDebugImage: - description: "Is CoreOS image a debug image?" + description: "Is OS image a debug image?" type: boolean default: true required: false @@ -127,7 +127,7 @@ jobs: kubernetesVersion: ${{ github.event.inputs.kubernetesVersion }} azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }} azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }} - coreosImage: ${{ github.event.inputs.coreosImage }} + osImage: ${{ github.event.inputs.osImage }} isDebugImage: ${{ github.event.inputs.isDebugImage }} - name: Always terminate cluster diff --git a/.github/workflows/e2e-test-manual.yml b/.github/workflows/e2e-test-manual.yml index 8d6573512..96d84162d 100644 --- a/.github/workflows/e2e-test-manual.yml +++ b/.github/workflows/e2e-test-manual.yml @@ -27,12 +27,12 @@ on: description: "Kubernetes version to create the cluster from." default: "1.24" required: true - coreosImage: - description: "CoreOS image (full path). Examples are in internal/config/config.go." + osImage: + description: "OS image (full path). Examples are in internal/config/config.go." default: "debug-latest" required: false isDebugImage: - description: "Is CoreOS image a debug image?" + description: "Is OS image a debug image?" type: boolean default: true required: false @@ -89,7 +89,7 @@ jobs: kubernetesVersion: ${{ github.event.inputs.kubernetesVersion }} azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }} azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }} - coreosImage: ${{ github.event.inputs.coreosImage }} + osImage: ${{ github.event.inputs.osImage }} isDebugImage: ${{ github.event.inputs.isDebugImage }} - name: Always terminate cluster diff --git a/.github/workflows/generate-measurements.yml b/.github/workflows/generate-measurements.yml index e0e292d85..fce43d6ff 100644 --- a/.github/workflows/generate-measurements.yml +++ b/.github/workflows/generate-measurements.yml @@ -11,12 +11,12 @@ on: - "gcp" default: "gcp" required: true - coreosImage: - description: "CoreOS image (full path). Examples are in internal/config/config.go." + osImage: + description: "OS image (full path). Examples are in internal/config/config.go." type: string required: true isDebugImage: - description: "Is CoreOS image a debug image?" + description: "Is OS image a debug image?" type: boolean required: true @@ -56,7 +56,7 @@ jobs: gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }} azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }} - coreosImage: ${{ github.event.inputs.coreosImage }} + osImage: ${{ github.event.inputs.osImage }} isDebugImage: ${{ github.event.inputs.isDebugImage }} cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} diff --git a/3rdparty/coreos-assembler/.gitignore b/3rdparty/coreos-assembler/.gitignore deleted file mode 100644 index 378eac25d..000000000 --- a/3rdparty/coreos-assembler/.gitignore +++ /dev/null @@ -1 +0,0 @@ -build diff --git a/3rdparty/coreos-assembler/HACKING.md b/3rdparty/coreos-assembler/HACKING.md deleted file mode 100644 index 9e829bdcb..000000000 --- a/3rdparty/coreos-assembler/HACKING.md +++ /dev/null @@ -1,34 +0,0 @@ -# dm-verity patch for CoreOS assembler - -Constellation uses CoreOS as a base for OS images. While the images are mostly unmodified and can be built using the upstream CoreOS assembler, small modifications to the assembler are required to support dm-verity for the root filesystem. - -Checkout the CoreOS assembler source code [from the upstream repo](https://github.com/coreos/coreos-assembler) using the commit ID specified in the [Makefile](Makefile) - -```shell-session -make clone -``` - -Apply the patch: - -```shell-session -make patch -``` - -Now you can make changes to the coreos-assembler and compile it using the included `Dockerfile`: - -```shell-session -make containerimage -``` - -Once you are done, create a new patch file (within `3rdparty/coreos-assembler/build/coreos-assembler`): -```shell-session -git diff HEAD^ > ../../verity.patch -``` - -## Building the CoreOS assembler container image - -```shell-session -make -``` - -The resulting container image will be tagged as `localhost/coreos-assembler`. diff --git a/3rdparty/coreos-assembler/Makefile b/3rdparty/coreos-assembler/Makefile deleted file mode 100644 index 4b282ac60..000000000 --- a/3rdparty/coreos-assembler/Makefile +++ /dev/null @@ -1,28 +0,0 @@ -CONTAINER_RUNTIME ?= docker -IMAGENAME ?= localhost/coreos-assembler -IMAGETAG ?= latest -UPSTREAM ?= https://github.com/coreos/coreos-assembler -COMMIT ?= 2dd33ddc36e6b9e1cc01ee0740f29020d203ceb2 -SRC_PATH = $(CURDIR) -BASE_PATH ?= $(SRC_PATH) -BUILDDIR ?= $(BASE_PATH)/build -CLONEDIR ?= $(BUILDDIR)/coreos-assembler - - -.PHONY: all clone patch containerimage clean - -all: clone patch containerimage - -clone: - @mkdir -p $(BUILDDIR) - git clone $(UPSTREAM) $(CLONEDIR) - cd $(CLONEDIR) && git checkout $(COMMIT) - -patch: - cd $(CLONEDIR) && patch --verbose -p1 < $(BASE_PATH)/verity.patch - -containerimage: - cd $(CLONEDIR) && $(CONTAINER_RUNTIME) build -t $(IMAGENAME):$(IMAGETAG) -f Dockerfile . - -clean: - rm -rf $(BUILDDIR) diff --git a/3rdparty/coreos-assembler/verity.patch b/3rdparty/coreos-assembler/verity.patch deleted file mode 100644 index b63619da9..000000000 --- a/3rdparty/coreos-assembler/verity.patch +++ /dev/null @@ -1,232 +0,0 @@ -diff --git a/Dockerfile b/Dockerfile -index 80c008a2d..329171970 100644 ---- a/Dockerfile -+++ b/Dockerfile -@@ -38,3 +38,12 @@ RUN chmod g=u /etc/passwd - # run as `builder` user - USER builder - ENTRYPOINT ["/usr/bin/dumb-init", "/usr/bin/coreos-assembler"] -+ -+# Constellation start -+USER root -+ -+RUN dnf -y update && \ -+ dnf install -y veritysetup && \ -+ dnf clean all -+ -+USER builder -+# Constellation end -diff --git a/mantle/platform/qemu.go b/mantle/platform/qemu.go -index d4d5eafa7..20f156315 100644 ---- a/mantle/platform/qemu.go -+++ b/mantle/platform/qemu.go -@@ -449,7 +449,7 @@ type QemuBuilder struct { - func NewQemuBuilder() *QemuBuilder { - ret := QemuBuilder{ - Firmware: "bios", -- Swtpm: true, -+ Swtpm: false, - Pdeathsig: true, - Argv: []string{}, - } -diff --git a/src/cosalib/qemuvariants.py b/src/cosalib/qemuvariants.py -index 8d57803b1..cdad6aeba 100644 ---- a/src/cosalib/qemuvariants.py -+++ b/src/cosalib/qemuvariants.py -@@ -81,7 +81,7 @@ VARIANTS = { - "image_suffix": "tar.gz", - "gzip": True, - "convert_options": { -- '-o': 'preallocation=off' -+ '-o': 'preallocation=full' - }, - "tar_members": [ - "disk.raw" -diff --git a/src/create_disk.sh b/src/create_disk.sh -index 61d52cd96..fa3fe1655 100755 ---- a/src/create_disk.sh -+++ b/src/create_disk.sh -@@ -188,6 +188,7 @@ set -x - SDPART=1 - BOOTPN=3 - ROOTPN=4 -+VERITYHASHPN=5 - # Make the size relative - if [ "${rootfs_size}" != "0" ]; then - rootfs_size="+${rootfs_size}" -@@ -201,7 +202,8 @@ case "$arch" in - -n 1:0:+1M -c 1:BIOS-BOOT -t 1:21686148-6449-6E6F-744E-656564454649 \ - -n ${EFIPN}:0:+127M -c ${EFIPN}:EFI-SYSTEM -t ${EFIPN}:C12A7328-F81F-11D2-BA4B-00A0C93EC93B \ - -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \ -- -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 -+ -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \ -+ -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity - sgdisk -p "$disk" - ;; - aarch64) -@@ -212,7 +214,8 @@ case "$arch" in - -n ${RESERVEDPN}:0:+1M -c ${RESERVEDPN}:reserved -t ${RESERVEDPN}:8DA63339-0007-60C0-C436-083AC8230908 \ - -n ${EFIPN}:0:+127M -c ${EFIPN}:EFI-SYSTEM -t ${EFIPN}:C12A7328-F81F-11D2-BA4B-00A0C93EC93B \ - -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \ -- -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 -+ -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \ -+ -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity - sgdisk -p "$disk" - ;; - s390x) -@@ -222,6 +225,7 @@ case "$arch" in - -n ${SDPART}:0:+200M -c ${SDPART}:se -t ${SDPART}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \ - -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \ -- -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 -+ -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \ -+ -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity - else - # NB: in the bare metal case when targeting ECKD DASD disks, this - # partition table is not what actually gets written to disk in the end: -@@ -231,7 +235,8 @@ case "$arch" in - -U "${uninitialized_gpt_uuid}" \ - -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \ -- -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 -+ -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \ -+ -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity - fi - sgdisk -p "$disk" - ;; - ppc64le) -@@ -243,7 +248,8 @@ case "$arch" in - -n ${PREPPN}:0:+4M -c ${PREPPN}:PowerPC-PReP-boot -t ${PREPPN}:9E1A2D38-C612-4316-AA26-8B49521E5A8B \ - -n ${RESERVEDPN}:0:+1M -c ${RESERVEDPN}:reserved -t ${RESERVEDPN}:8DA63339-0007-60C0-C436-083AC8230908 \ - -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \ -- -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 -+ -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \ -+ -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity - sgdisk -p "$disk" - ;; - esac -@@ -251,10 +257,11 @@ esac - udevtrig - - zipl_dev="${disk}${SDPART}" - boot_dev="${disk}${BOOTPN}" - root_dev="${disk}${ROOTPN}" -+hash_dev="${disk}${VERITYHASHPN}" - - bootargs= - # If the bootfs_metadata_csum_seed image.yaml knob is set to true then - # we'll enable the metadata_csum_seed filesystem feature. This is - # gated behind an image.yaml knob because support for this feature -@@ -305,17 +315,17 @@ case "${rootfs_type}" in - # And reflinks are *very* useful for the container stack with overlayfs (and in general). - # So basically, we're choosing performance over half-implemented security. - # Eventually, we'd like both - once XFS gains verity (probably not too hard), - # we could unconditionally enable it there. - # shellcheck disable=SC2086 -- mkfs.ext4 -b "$(getconf PAGE_SIZE)" -O verity -L root "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args} -+ mkfs.ext4 -b "$(getconf PAGE_SIZE)" -O verity -L root_raw "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args} - ;; - btrfs) - # shellcheck disable=SC2086 -- mkfs.btrfs -L root "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args} -+ mkfs.btrfs -L root_raw "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args} - ;; - xfs|"") - # shellcheck disable=SC2086 -- mkfs.xfs "${root_dev}" -L root -m reflink=1 -m uuid="${rootfs_uuid}" ${rootfs_args} -+ mkfs.xfs "${root_dev}" -L root_raw -m reflink=1 -m uuid="${rootfs_uuid}" -s "size=4096" ${rootfs_args} - ;; - *) - echo "Unknown rootfs_type: $rootfs_type" 1>&2 -@@ -536,11 +428,10 @@ s390x) - esac - - ostree config --repo $rootfs/ostree/repo set sysroot.bootloader "${bootloader_backend}" --# Opt-in to https://github.com/ostreedev/ostree/pull/1767 AKA --# https://github.com/ostreedev/ostree/issues/1265 --ostree config --repo $rootfs/ostree/repo set sysroot.readonly true -+# constellation: setting readonly to false interestingly stops ostree from remounting anything as rw -+ostree config --repo $rootfs/ostree/repo set sysroot.readonly false - # enable support for GRUB password - if [ "${bootloader_backend}" = "none" ]; then - ostree config --repo $rootfs/ostree/repo set sysroot.bls-append-except-default 'grub_users=""' - fi - -@@ -542,15 +548,16 @@ s390x) - # enable support for GRUB password - if [ "${bootloader_backend}" = "none" ]; then - ostree config --repo $rootfs/ostree/repo set sysroot.bls-append-except-default 'grub_users=""' - fi - --touch $rootfs/boot/ignition.firstboot -+# constellation: do not enable ignition on first boot -+# touch $rootfs/boot/ignition.firstboot - - # Finally, add the immutable bit to the physical root; we don't - # expect people to be creating anything there. A use case for - # OSTree in general is to support installing *inside* the existing - # root of a deployed OS, so OSTree doesn't do this by default, but - # we have no reason not to enable it here. Administrators should - # generally expect that state data is in /etc and /var; if anything - # else is in /sysroot it's probably by accident. - chattr +i $rootfs -@@ -557,10 +564,21 @@ chattr +i $rootfs - - fstrim -a -v - # Ensure the filesystem journals are flushed --for fs in $rootfs/boot $rootfs; do -+mount -o remount,ro $rootfs/boot -+for fs in $rootfs; do - mount -o remount,ro $fs - xfs_freeze -f $fs - done - umount -R $rootfs - - rmdir $rootfs -+ -+# setup dm-verity and disable audit logs -+veritysetup_out=$(veritysetup format "${root_dev}" "${hash_dev}") -+verity_root_hash=$(echo "${veritysetup_out}" | grep 'Root hash:' | sed --expression='s/Root hash:\s*//g') -+bootfs_mount=/tmp/boot -+rm -rf "${bootfs_mount}" -+mkdir -p "${bootfs_mount}" -+mount "${disk}${BOOTPN}" "${bootfs_mount}" -+sed -i -e "s/^options .*/\0 audit=0 verity.sysroot=${verity_root_hash}/g" "${bootfs_mount}/loader.1/entries/ostree-1-fedora-coreos.conf" -+umount "${bootfs_mount}" -diff --git a/src/gf-fsck b/src/gf-fsck -index 2d07eca2a..46c137672 100755 ---- a/src/gf-fsck -+++ b/src/gf-fsck -@@ -28,7 +28,7 @@ for pt in $partitions; do - done - - # And fsck the main rootfs --root=$(coreos_gf findfs-label root) -+root=$(coreos_gf findfs-label root_raw) - coreos_gf debug sh "fsck.xfs -f -n ${root}" - - coreos_gf_shutdown -diff --git a/src/libguestfish.sh b/src/libguestfish.sh -index 82cfcf86e..635fb9eaa 100755 ---- a/src/libguestfish.sh -+++ b/src/libguestfish.sh -@@ -64,7 +64,7 @@ coreos_gf_run_mount() { - shift - fi - coreos_gf_run "$@" -- root=$(coreos_gf findfs-label root) -+ root=$(coreos_gf findfs-label root_raw) - coreos_gf ${mntarg} "${root}" / - local boot - boot=$(coreos_gf findfs-label boot) -diff --git a/src/vmdeps.txt b/src/vmdeps.txt -index 6c6045840..ddbece267 100644 ---- a/src/vmdeps.txt -+++ b/src/vmdeps.txt -@@ -27,5 +27,8 @@ gdisk xfsprogs e2fsprogs dosfstools btrfs-progs - - # needed for basic CA support - ca-certificates - - tar -+ -+# dm-verity -+veritysetup diff --git a/README.md b/README.md index f9d097376..166f99fc3 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,7 @@ Encrypting your K8s is good for: ### 🔍 Everything verifiable * "Whole cluster" [attestation][cluster-attestation] based on the remote-attestation feature of CVMs -* Confidential computing-optimized [node images][images] based on Fedora CoreOS; fully measured and integrity-protected +* Confidential computing-optimized [node images][images]; fully measured and integrity-protected * [Supply chain protection][supply-chain] with [sigstore](https://www.sigstore.dev/) ### 🚀 Performance and scale diff --git a/bootstrapper/cmd/bootstrapper/main.go b/bootstrapper/cmd/bootstrapper/main.go index cebba2be6..1d3316f9e 100644 --- a/bootstrapper/cmd/bootstrapper/main.go +++ b/bootstrapper/cmd/bootstrapper/main.go @@ -109,7 +109,7 @@ func main() { log.With(zap.Error(err)).Fatalf("Failed to create cloud controller manager") } clusterInitJoiner = kubernetes.New( - "gcp", k8sapi.NewKubernetesUtil(), &k8sapi.CoreOSConfiguration{}, kubectl.New(), cloudControllerManager, + "gcp", k8sapi.NewKubernetesUtil(), &k8sapi.KubdeadmConfiguration{}, kubectl.New(), cloudControllerManager, &gcpcloud.CloudNodeManager{}, &gcpcloud.Autoscaler{}, metadata, pcrsJSON, helmClient, ) openTPM = vtpm.OpenVTPM @@ -142,7 +142,7 @@ func main() { log.With(zap.Error(err)).Fatalf("Failed to marshal PCRs") } clusterInitJoiner = kubernetes.New( - "azure", k8sapi.NewKubernetesUtil(), &k8sapi.CoreOSConfiguration{}, kubectl.New(), azurecloud.NewCloudControllerManager(metadata), + "azure", k8sapi.NewKubernetesUtil(), &k8sapi.KubdeadmConfiguration{}, kubectl.New(), azurecloud.NewCloudControllerManager(metadata), &azurecloud.CloudNodeManager{}, &azurecloud.Autoscaler{}, metadata, pcrsJSON, helmClient, ) @@ -163,7 +163,7 @@ func main() { log.With(zap.Error(err)).Fatalf("Failed to marshal PCRs") } clusterInitJoiner = kubernetes.New( - "qemu", k8sapi.NewKubernetesUtil(), &k8sapi.CoreOSConfiguration{}, kubectl.New(), &qemucloud.CloudControllerManager{}, + "qemu", k8sapi.NewKubernetesUtil(), &k8sapi.KubdeadmConfiguration{}, kubectl.New(), &qemucloud.CloudControllerManager{}, &qemucloud.CloudNodeManager{}, &qemucloud.Autoscaler{}, metadata, pcrsJSON, helmClient, ) metadataAPI = metadata diff --git a/bootstrapper/internal/helm/client.go b/bootstrapper/internal/helm/client.go index 6a05a0304..c1fb8a123 100644 --- a/bootstrapper/internal/helm/client.go +++ b/bootstrapper/internal/helm/client.go @@ -38,7 +38,7 @@ type Client struct { // New creates a new client with the given logger. func New(log *logger.Logger) (*Client, error) { settings := cli.New() - settings.KubeConfig = constants.CoreOSAdminConfFilename + settings.KubeConfig = constants.ControlPlaneAdminConfFilename actionConfig := &action.Configuration{} if err := actionConfig.Init(settings.RESTClientGetter(), constants.HelmNamespace, @@ -83,7 +83,7 @@ func (h *Client) installCiliumAzure(ctx context.Context, release helm.Release, k } func (h *Client) installlCiliumGCP(ctx context.Context, kubectl k8sapi.Client, release helm.Release, nodeName, nodePodCIDR, subnetworkPodCIDR, kubeAPIEndpoint string) error { - out, err := exec.CommandContext(ctx, constants.KubectlPath, "--kubeconfig", constants.CoreOSAdminConfFilename, "patch", "node", nodeName, "-p", "{\"spec\":{\"podCIDR\": \""+nodePodCIDR+"\"}}").CombinedOutput() + out, err := exec.CommandContext(ctx, constants.KubectlPath, "--kubeconfig", constants.ControlPlaneAdminConfFilename, "patch", "node", nodeName, "-p", "{\"spec\":{\"podCIDR\": \""+nodePodCIDR+"\"}}").CombinedOutput() if err != nil { err = errors.New(string(out)) return err diff --git a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go index 4fa014ea2..1d872cca5 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go +++ b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go @@ -29,9 +29,9 @@ const ( auditPolicyPath = "/etc/kubernetes/audit-policy.yaml" ) -type CoreOSConfiguration struct{} +type KubdeadmConfiguration struct{} -func (c *CoreOSConfiguration) InitConfiguration(externalCloudProvider bool, k8sVersion versions.ValidK8sVersion) KubeadmInitYAML { +func (c *KubdeadmConfiguration) InitConfiguration(externalCloudProvider bool, k8sVersion versions.ValidK8sVersion) KubeadmInitYAML { var cloudProvider string if externalCloudProvider { cloudProvider = "external" @@ -171,7 +171,7 @@ func (c *CoreOSConfiguration) InitConfiguration(externalCloudProvider bool, k8sV } } -func (c *CoreOSConfiguration) JoinConfiguration(externalCloudProvider bool) KubeadmJoinYAML { +func (c *KubdeadmConfiguration) JoinConfiguration(externalCloudProvider bool) KubeadmJoinYAML { var cloudProvider string if externalCloudProvider { cloudProvider = "external" diff --git a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config_test.go b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config_test.go index a77a4f0cc..eba0d7304 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config_test.go +++ b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config_test.go @@ -22,17 +22,17 @@ func TestMain(m *testing.M) { } func TestInitConfiguration(t *testing.T) { - coreOSConfig := CoreOSConfiguration{} + kubeadmConfig := KubdeadmConfiguration{} testCases := map[string]struct { config KubeadmInitYAML }{ - "CoreOS init config can be created": { - config: coreOSConfig.InitConfiguration(true, versions.Default), + "kubeadm init config can be created": { + config: kubeadmConfig.InitConfiguration(true, versions.Default), }, - "CoreOS init config with all fields can be created": { + "kubeadm init config with all fields can be created": { config: func() KubeadmInitYAML { - c := coreOSConfig.InitConfiguration(true, versions.Default) + c := kubeadmConfig.InitConfiguration(true, versions.Default) c.SetAPIServerAdvertiseAddress("192.0.2.0") c.SetNodeIP("192.0.2.0") c.SetNodeName("node") @@ -60,7 +60,7 @@ func TestInitConfiguration(t *testing.T) { } func TestInitConfigurationKubeadmCompatibility(t *testing.T) { - coreOSConfig := CoreOSConfiguration{} + kubeadmConfig := KubdeadmConfiguration{} testCases := map[string]struct { config KubeadmInitYAML @@ -68,11 +68,11 @@ func TestInitConfigurationKubeadmCompatibility(t *testing.T) { wantErr bool }{ "Kubeadm accepts version 'Latest'": { - config: coreOSConfig.InitConfiguration(true, versions.Default), + config: kubeadmConfig.InitConfiguration(true, versions.Default), expectedVersion: fmt.Sprintf("v%s", versions.VersionConfigs[versions.Default].PatchVersion), }, "Kubeadm receives incompatible version": { - config: coreOSConfig.InitConfiguration(true, "1.19"), + config: kubeadmConfig.InitConfiguration(true, "1.19"), wantErr: true, }, } @@ -92,17 +92,17 @@ func TestInitConfigurationKubeadmCompatibility(t *testing.T) { } func TestJoinConfiguration(t *testing.T) { - coreOSConfig := CoreOSConfiguration{} + kubdeadmConfig := KubdeadmConfiguration{} testCases := map[string]struct { config KubeadmJoinYAML }{ - "CoreOS join config can be created": { - config: coreOSConfig.JoinConfiguration(true), + "kubeadm join config can be created": { + config: kubdeadmConfig.JoinConfiguration(true), }, - "CoreOS join config with all fields can be created": { + "kubeadm join config with all fields can be created": { config: func() KubeadmJoinYAML { - c := coreOSConfig.JoinConfiguration(true) + c := kubdeadmConfig.JoinConfiguration(true) c.SetAPIServerEndpoint("192.0.2.0:6443") c.SetNodeIP("192.0.2.0") c.SetNodeName("node") diff --git a/cli/internal/cloudcmd/upgrade.go b/cli/internal/cloudcmd/upgrade.go index d35a684af..5d08c11d6 100644 --- a/cli/internal/cloudcmd/upgrade.go +++ b/cli/internal/cloudcmd/upgrade.go @@ -71,7 +71,7 @@ func (u *Upgrader) Upgrade(ctx context.Context, image string, measurements map[u // GetCurrentImage returns the currently used image of the cluster. func (u *Upgrader) GetCurrentImage(ctx context.Context) (*unstructured.Unstructured, string, error) { - imageStruct, err := u.imageUpdater.getCurrent(ctx, "constellation-coreos") + imageStruct, err := u.imageUpdater.getCurrent(ctx, "constellation-os") if err != nil { return nil, "", err } diff --git a/cli/internal/cmd/upgradeplan.go b/cli/internal/cmd/upgradeplan.go index a0bc949b4..7e1229b35 100644 --- a/cli/internal/cmd/upgradeplan.go +++ b/cli/internal/cmd/upgradeplan.go @@ -307,8 +307,8 @@ type upgradePlanFlags struct { } type imageManifest struct { - AzureImage string `json:"AzureCoreOSImage"` - GCPImage string `json:"GCPCoreOSImage"` + AzureImage string `json:"AzureOSImage"` + GCPImage string `json:"GCPOSImage"` } type nopWriteCloser struct { diff --git a/cli/internal/terraform/terraform/qemu/main.tf b/cli/internal/terraform/terraform/qemu/main.tf index 679b66334..acf625013 100644 --- a/cli/internal/terraform/terraform/qemu/main.tf +++ b/cli/internal/terraform/terraform/qemu/main.tf @@ -57,7 +57,7 @@ module "control_plane" { cidr = "10.42.1.0/24" network_id = libvirt_network.constellation.id pool = libvirt_pool.cluster.name - boot_volume_id = libvirt_volume.constellation_coreos_image.id + boot_volume_id = libvirt_volume.constellation_os_image.id machine = var.machine firmware = var.firmware nvram = var.nvram @@ -74,7 +74,7 @@ module "worker" { cidr = "10.42.2.0/24" network_id = libvirt_network.constellation.id pool = libvirt_pool.cluster.name - boot_volume_id = libvirt_volume.constellation_coreos_image.id + boot_volume_id = libvirt_volume.constellation_os_image.id machine = var.machine firmware = var.firmware nvram = var.nvram @@ -87,10 +87,10 @@ resource "libvirt_pool" "cluster" { path = "/var/lib/libvirt/images" } -resource "libvirt_volume" "constellation_coreos_image" { +resource "libvirt_volume" "constellation_os_image" { name = "${var.name}-node-image" pool = libvirt_pool.cluster.name - source = var.constellation_coreos_image + source = var.constellation_os_image format = var.image_format } diff --git a/cli/internal/terraform/terraform/qemu/variables.tf b/cli/internal/terraform/terraform/qemu/variables.tf index a1b8007fd..473640333 100644 --- a/cli/internal/terraform/terraform/qemu/variables.tf +++ b/cli/internal/terraform/terraform/qemu/variables.tf @@ -3,7 +3,7 @@ variable "libvirt_uri" { description = "libvirt socket uri" } -variable "constellation_coreos_image" { +variable "constellation_os_image" { type = string description = "constellation OS file path" } diff --git a/cli/internal/terraform/variables.go b/cli/internal/terraform/variables.go index 8f5187554..718f67f12 100644 --- a/cli/internal/terraform/variables.go +++ b/cli/internal/terraform/variables.go @@ -155,7 +155,7 @@ func (v *QEMUVariables) String() string { b.WriteString(v.CommonVariables.String()) writeLinef(b, "libvirt_uri = %q", v.LibvirtURI) writeLinef(b, "libvirt_socket_path = %q", v.LibvirtSocketPath) - writeLinef(b, "constellation_coreos_image = %q", v.ImagePath) + writeLinef(b, "constellation_os_image = %q", v.ImagePath) writeLinef(b, "image_format = %q", v.ImageFormat) writeLinef(b, "vcpus = %d", v.CPUCount) writeLinef(b, "memory = %d", v.MemorySizeMiB) diff --git a/debugd/README.md b/debugd/README.md index 4512b5ad9..25f452ff9 100644 --- a/debugd/README.md +++ b/debugd/README.md @@ -1,7 +1,7 @@ # debug daemon (debugd) Debugd is a tool we built to allow for shorter iteration cycles during development. -The debugd gets embedded into coreOS images at the place where the bootstrapper normally sits. +The debugd gets embedded into OS images at the place where the bootstrapper normally sits. Therefore, when a debug image is started, the debugd starts executing instead of the bootstrapper. The debugd will then wait for a request from the `cdbg` tool to upload a bootstrapper binary. Once the upload is finished debugd will start the bootstrapper. diff --git a/debugd/internal/cdbg/cmd/root.go b/debugd/internal/cdbg/cmd/root.go index bdee15004..66c540adb 100644 --- a/debugd/internal/cdbg/cmd/root.go +++ b/debugd/internal/cdbg/cmd/root.go @@ -18,7 +18,7 @@ func newRootCmd() *cobra.Command { Use: "cdbg", Short: "Constellation debugging client", Long: `cdbg is the constellation debugging client. - It connects to CoreOS instances running debugd and deploys a self-compiled version of the bootstrapper.`, + It connects to Constellation instances running debugd and deploys a self-compiled version of the bootstrapper.`, } cmd.PersistentFlags().String("config", constants.ConfigFilename, "Constellation config file") cmd.AddCommand(newDeployCmd()) diff --git a/hack/build-manifest/manifest.go b/hack/build-manifest/manifest.go index 4796db2a9..9742ec951 100644 --- a/hack/build-manifest/manifest.go +++ b/hack/build-manifest/manifest.go @@ -13,8 +13,8 @@ type Manifest struct { } type Images struct { - AzureCoreosImage string `json:"AzureCoreOSImage"` - GCPCoreOSImage string `json:"GCPCoreOSImage"` + AzureOSImage string `json:"AzureOSImage"` + GCPOSImage string `json:"GCPOSImage"` } // OldManifests provides Constellation releases to image mapping. These are the @@ -23,28 +23,28 @@ func OldManifests() Manifest { return Manifest{ releases: map[string]Images{ "v1.0.0": { - AzureCoreosImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1651150807", - GCPCoreOSImage: "constellation-coreos-1651150807", + AzureOSImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1651150807", + GCPOSImage: "constellation-coreos-1651150807", }, "v1.1.0": { - AzureCoreosImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1654096948", - GCPCoreOSImage: "projects/constellation-images/global/images/constellation-coreos-1654096948", + AzureOSImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1654096948", + GCPOSImage: "projects/constellation-images/global/images/constellation-coreos-1654096948", }, "v1.2.0": { - AzureCoreosImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1654162332", - GCPCoreOSImage: "projects/constellation-images/global/images/constellation-coreos-1654162332", + AzureOSImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1654162332", + GCPOSImage: "projects/constellation-images/global/images/constellation-coreos-1654162332", }, "v1.3.0": { - AzureCoreosImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1654162332", - GCPCoreOSImage: "projects/constellation-images/global/images/constellation-coreos-1654162332", + AzureOSImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1654162332", + GCPOSImage: "projects/constellation-images/global/images/constellation-coreos-1654162332", }, "v1.3.1": { - AzureCoreosImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1657199013", - GCPCoreOSImage: "projects/constellation-images/global/images/constellation-coreos-1657199013", + AzureOSImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1657199013", + GCPOSImage: "projects/constellation-images/global/images/constellation-coreos-1657199013", }, "v1.4.0": { - AzureCoreosImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1659453699", - GCPCoreOSImage: "projects/constellation-images/global/images/constellation-coreos-1659453699", + AzureOSImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1659453699", + GCPOSImage: "projects/constellation-images/global/images/constellation-coreos-1659453699", }, }, } @@ -56,20 +56,20 @@ func (m *Manifest) MarshalJSON() ([]byte, error) { func (m *Manifest) SetAzureImage(version string, image string) { if release, ok := m.releases[version]; !ok { - images := Images{AzureCoreosImage: image} + images := Images{AzureOSImage: image} m.releases[version] = images } else { - release.AzureCoreosImage = image + release.AzureOSImage = image m.releases[version] = release } } func (m *Manifest) SetGCPImage(version string, image string) { if release, ok := m.releases[version]; !ok { - images := Images{GCPCoreOSImage: image} + images := Images{GCPOSImage: image} m.releases[version] = images } else { - release.GCPCoreOSImage = image + release.GCPOSImage = image m.releases[version] = release } } diff --git a/hack/importAzure.sh b/hack/importAzure.sh index e3028b4d8..96ca961be 100755 --- a/hack/importAzure.sh +++ b/hack/importAzure.sh @@ -43,7 +43,7 @@ AZURE_PUBLISHER="${AZURE_PUBLISHER:-edgelesssys}" AZURE_IMAGE_NAME="${AZURE_IMAGE_NAME:-upload-target}" AZURE_IMAGE_OFFER="${AZURE_IMAGE_OFFER:-constellation}" AZURE_IMAGE_DEFINITION="${AZURE_IMAGE_DEFINITION:-constellation}" -AZURE_SKU="${AZURE_SKU:-constellation-coreos}" +AZURE_SKU="${AZURE_SKU:-constellation}" AZURE_SECURITY_TYPE="${AZURE_SECURITY_TYPE:-TrustedLaunch}" if [[ -z "${AZURE_RESOURCE_GROUP_NAME}" ]]; then diff --git a/internal/constants/constants.go b/internal/constants/constants.go index 7f9a32fe0..e4d16e9c9 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -58,16 +58,16 @@ const ( // // Filenames. // - ClusterIDsFileName = "constellation-id.json" - ConfigFilename = "constellation-conf.yaml" - LicenseFilename = "constellation.license" - DebugdConfigFilename = "cdbg-conf.yaml" - AdminConfFilename = "constellation-admin.conf" - MasterSecretFilename = "constellation-mastersecret.json" - WGQuickConfigFilename = "wg0.conf" - CoreOSAdminConfFilename = "/etc/kubernetes/admin.conf" - KubeadmCertificateDir = "/etc/kubernetes/pki" - KubectlPath = "/run/state/bin/kubectl" + ClusterIDsFileName = "constellation-id.json" + ConfigFilename = "constellation-conf.yaml" + LicenseFilename = "constellation.license" + DebugdConfigFilename = "cdbg-conf.yaml" + AdminConfFilename = "constellation-admin.conf" + MasterSecretFilename = "constellation-mastersecret.json" + WGQuickConfigFilename = "wg0.conf" + ControlPlaneAdminConfFilename = "/etc/kubernetes/admin.conf" + KubeadmCertificateDir = "/etc/kubernetes/pki" + KubectlPath = "/run/state/bin/kubectl" // // Filenames for Constellation's micro services. diff --git a/internal/deploy/ssh/ssh.go b/internal/deploy/ssh/ssh.go index b7a7baa39..4d35bbab3 100644 --- a/internal/deploy/ssh/ssh.go +++ b/internal/deploy/ssh/ssh.go @@ -65,6 +65,7 @@ func (s *Access) GetAuthorizedKeys() []UserKey { } // DeployAuthorizedKey takes an user & public key pair, creates the user if required and deploy a SSH key for them. +// TODO: Refactor to not write to /etc or /home. func (s *Access) DeployAuthorizedKey(ctx context.Context, sshKey UserKey) error { // allow only one thread to write to authorized keys, create users and update the authorized map at a time s.mux.Lock() diff --git a/joinservice/internal/kubeadm/kubeadm.go b/joinservice/internal/kubeadm/kubeadm.go index cab2cfe2d..f5faa93c6 100644 --- a/joinservice/internal/kubeadm/kubeadm.go +++ b/joinservice/internal/kubeadm/kubeadm.go @@ -85,7 +85,7 @@ func (k *Kubeadm) GetJoinToken(ttl time.Duration) (*kubeadm.BootstrapTokenDiscov // parse Kubernetes CA certs k.log.Infof("Preparing join token for new node") - rawConfig, err := k.file.Read(constants.CoreOSAdminConfFilename) + rawConfig, err := k.file.Read(constants.ControlPlaneAdminConfFilename) if err != nil { return nil, fmt.Errorf("loading kubeconfig file: %w", err) } diff --git a/joinservice/internal/kubeadm/kubeadm_test.go b/joinservice/internal/kubeadm/kubeadm_test.go index 14613b4f3..25fc43e2a 100644 --- a/joinservice/internal/kubeadm/kubeadm_test.go +++ b/joinservice/internal/kubeadm/kubeadm_test.go @@ -90,7 +90,7 @@ kind: Config`, client: fake.NewSimpleClientset(), } if tc.adminConf != "" { - require.NoError(client.file.Write(constants.CoreOSAdminConfFilename, []byte(tc.adminConf), file.OptNone)) + require.NoError(client.file.Write(constants.ControlPlaneAdminConfFilename, []byte(tc.adminConf), file.OptNone)) } res, err := client.GetJoinToken(time.Minute) diff --git a/operators/constellation-node-operator/README.md b/operators/constellation-node-operator/README.md index fa7013de3..1112cfe3e 100644 --- a/operators/constellation-node-operator/README.md +++ b/operators/constellation-node-operator/README.md @@ -24,7 +24,7 @@ Example for GCP: apiVersion: update.edgeless.systems/v1alpha1 kind: NodeImage metadata: - name: constellation-coreos + name: constellation-os spec: image: "projects/constellation-images/global/images/" ``` @@ -34,7 +34,7 @@ Example for Azure: apiVersion: update.edgeless.systems/v1alpha1 kind: NodeImage metadata: - name: constellation-coreos + name: constellation-os spec: image: "/subscriptions//resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images//versions/" ``` @@ -70,7 +70,7 @@ kind: ScalingGroup metadata: name: scalinggroup-worker spec: - nodeImage: "constellation-coreos" + nodeImage: "constellation-os" groupId: "projects//zones//instanceGroupManagers/" autoscaling: true ``` @@ -83,7 +83,7 @@ kind: ScalingGroup metadata: name: scalinggroup-worker spec: - nodeImage: "constellation-coreos" + nodeImage: "constellation-os" groupId: "/subscriptions//resourceGroups//providers/Microsoft.Compute/virtualMachineScaleSets/" autoscaling: true ``` diff --git a/operators/constellation-node-operator/config/samples/update_v1alpha1_nodeimage.yaml b/operators/constellation-node-operator/config/samples/update_v1alpha1_nodeimage.yaml index 046f4b96f..6a1a64093 100644 --- a/operators/constellation-node-operator/config/samples/update_v1alpha1_nodeimage.yaml +++ b/operators/constellation-node-operator/config/samples/update_v1alpha1_nodeimage.yaml @@ -1,7 +1,7 @@ apiVersion: update.edgeless.systems/v1alpha1 kind: NodeImage metadata: - name: constellation-coreos-azure + name: constellation-os-azure namespace: kube-system spec: image: "/subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images//versions/" @@ -9,7 +9,7 @@ spec: apiVersion: update.edgeless.systems/v1alpha1 kind: NodeImage metadata: - name: constellation-coreos-gcp + name: constellation-os-gcp namespace: kube-system spec: image: projects//global/images/ diff --git a/operators/constellation-node-operator/config/samples/update_v1alpha1_scalinggroup.yaml b/operators/constellation-node-operator/config/samples/update_v1alpha1_scalinggroup.yaml index 9a373907a..db1a5c2c4 100644 --- a/operators/constellation-node-operator/config/samples/update_v1alpha1_scalinggroup.yaml +++ b/operators/constellation-node-operator/config/samples/update_v1alpha1_scalinggroup.yaml @@ -4,7 +4,7 @@ metadata: name: scalinggroup-worker-azure namespace: kube-system spec: - nodeImage: "constellation-coreos-azure" + nodeImage: "constellation-os-azure" groupId: "/subscriptions//resourceGroups//providers/Microsoft.Compute/virtualMachineScaleSets/" autoscaling: true --- @@ -14,6 +14,6 @@ metadata: name: scalinggroup-worker-gcp namespace: kube-system spec: - nodeImage: "constellation-coreos-gcp" + nodeImage: "constellation-os-gcp" groupId: "projects//zones//instanceGroupManagers/" autoscaling: true diff --git a/operators/constellation-node-operator/internal/constants/constants.go b/operators/constellation-node-operator/internal/constants/constants.go index fee44b695..80d4dd3c4 100644 --- a/operators/constellation-node-operator/internal/constants/constants.go +++ b/operators/constellation-node-operator/internal/constants/constants.go @@ -8,7 +8,7 @@ package constants const ( AutoscalingStrategyResourceName = "autoscalingstrategy" - NodeImageResourceName = "constellation-coreos" + NodeImageResourceName = "constellation-os" ControlPlaneScalingGroupResourceName = "scalinggroup-controlplane" WorkerScalingGroupResourceName = "scalinggroup-worker" )