AB#2309 constellation upgrade execute (#2)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

cli/cmd/root.go

@@ -41,6 +41,7 @@ func NewRootCmd() *cobra.Command {
 	rootCmd.AddCommand(cmd.NewVerifyCmd())
 	rootCmd.AddCommand(cmd.NewRecoverCmd())
 	rootCmd.AddCommand(cmd.NewTerminateCmd())
+	rootCmd.AddCommand(cmd.NewUpgradeCmd())
 	rootCmd.AddCommand(cmd.NewVersionCmd())
 
 	return rootCmd

cli/internal/cloudcmd/upgrade.go

@@ -0,0 +1,186 @@
+package cloudcmd
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+
+	"github.com/edgelesssys/constellation/internal/constants"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+// Upgrader handles upgrading the cluster's components using the CLI.
+type Upgrader struct {
+	measurementsUpdater measurementsUpdater
+	imageUpdater        imageUpdater
+
+	writer io.Writer
+}
+
+// NewUpgrader returns a new Upgrader.
+func NewUpgrader(writer io.Writer) (*Upgrader, error) {
+	kubeConfig, err := clientcmd.BuildConfigFromFlags("", constants.AdminConfFilename)
+	if err != nil {
+		return nil, fmt.Errorf("building kubernetes config: %w", err)
+	}
+
+	kubeClient, err := kubernetes.NewForConfig(kubeConfig)
+	if err != nil {
+		return nil, fmt.Errorf("setting up kubernetes client: %w", err)
+	}
+
+	// use unstructured client to avoid importing the operator packages
+	unstructuredClient, err := dynamic.NewForConfig(kubeConfig)
+	if err != nil {
+		return nil, fmt.Errorf("setting up custom resource client: %w", err)
+	}
+
+	return &Upgrader{
+		measurementsUpdater: &kubeMeasurementsUpdater{client: kubeClient},
+		imageUpdater:        &kubeImageUpdater{client: unstructuredClient},
+		writer:              writer,
+	}, nil
+}
+
+// Upgrade upgrades the cluster to the given measurements and image.
+func (u *Upgrader) Upgrade(ctx context.Context, image string, measurements map[uint32][]byte) error {
+	if err := u.updateMeasurements(ctx, measurements); err != nil {
+		return fmt.Errorf("updating measurements: %w", err)
+	}
+
+	if err := u.updateImage(ctx, image); err != nil {
+		return fmt.Errorf("updating image: %w", err)
+	}
+	return nil
+}
+
+func (u *Upgrader) updateMeasurements(ctx context.Context, measurements map[uint32][]byte) error {
+	existingConf, err := u.measurementsUpdater.getCurrent(ctx, constants.JoinConfigMap)
+	if err != nil {
+		return fmt.Errorf("retrieving current measurements: %w", err)
+	}
+
+	var currentMeasurements map[uint32][]byte
+	if err := json.Unmarshal([]byte(existingConf.Data[constants.MeasurementsFilename]), &currentMeasurements); err != nil {
+		return fmt.Errorf("retrieving current measurements: %w", err)
+	}
+	if len(currentMeasurements) == len(measurements) {
+		changed := false
+		for k, v := range currentMeasurements {
+			if !bytes.Equal(v, measurements[k]) {
+				// measurements have changed
+				changed = true
+				break
+			}
+		}
+		if !changed {
+			// measurements are the same, nothing to be done
+			fmt.Fprintln(u.writer, "Cluster is already using the chosen measurements, skipping measurements upgrade")
+			return nil
+		}
+	}
+
+	// backup of previous measurements
+	existingConf.Data["oldMeasurements"] = existingConf.Data[constants.MeasurementsFilename]
+
+	measurementsJSON, err := json.Marshal(measurements)
+	if err != nil {
+		return fmt.Errorf("marshaling measurements: %w", err)
+	}
+	existingConf.Data[constants.MeasurementsFilename] = string(measurementsJSON)
+	_, err = u.measurementsUpdater.update(ctx, existingConf)
+	if err != nil {
+		return fmt.Errorf("setting new measurements: %w", err)
+	}
+
+	fmt.Fprintln(u.writer, "Successfully updated the cluster's expected measurements")
+	return nil
+}
+
+func (u *Upgrader) updateImage(ctx context.Context, image string) error {
+	currentImage, err := u.imageUpdater.getCurrent(ctx, "constellation-coreos")
+	if err != nil {
+		return fmt.Errorf("retrieving current image: %w", err)
+	}
+
+	spec, ok := currentImage.Object["spec"]
+	if !ok {
+		return errors.New("current image has no spec")
+	}
+	specMap, ok := spec.(map[string]interface{})
+	if !ok {
+		return errors.New("current image spec is not a map")
+	}
+	currentImageDefinition, ok := specMap["image"]
+	if !ok {
+		return errors.New("unable to read current image")
+	}
+
+	if currentImageDefinition == image {
+		fmt.Fprintln(u.writer, "Cluster is already using the chosen image, skipping image upgrade")
+		return nil
+	}
+
+	currentImage.Object["spec"].(map[string]interface{})["image"] = image
+	if _, err := u.imageUpdater.update(ctx, currentImage); err != nil {
+		return fmt.Errorf("setting new image: %w", err)
+	}
+
+	fmt.Fprintln(u.writer, "Successfully updated the cluster's image, upgrades will be applied automatically")
+	return nil
+}
+
+type imageUpdater interface {
+	getCurrent(ctx context.Context, name string) (*unstructured.Unstructured, error)
+	update(ctx context.Context, obj *unstructured.Unstructured) (*unstructured.Unstructured, error)
+}
+
+type measurementsUpdater interface {
+	getCurrent(ctx context.Context, name string) (*corev1.ConfigMap, error)
+	update(ctx context.Context, configMap *corev1.ConfigMap) (*corev1.ConfigMap, error)
+}
+
+type kubeImageUpdater struct {
+	client dynamic.Interface
+}
+
+// getCurrent returns the current image definition.
+func (u *kubeImageUpdater) getCurrent(ctx context.Context, name string) (*unstructured.Unstructured, error) {
+	return u.client.Resource(schema.GroupVersionResource{
+		Group:    "update.edgeless.systems",
+		Version:  "v1alpha1",
+		Resource: "nodeimages",
+	}).Get(ctx, name, metav1.GetOptions{})
+}
+
+// update updates the image definition.
+func (u *kubeImageUpdater) update(ctx context.Context, obj *unstructured.Unstructured) (*unstructured.Unstructured, error) {
+	return u.client.Resource(schema.GroupVersionResource{
+		Group:    "update.edgeless.systems",
+		Version:  "v1alpha1",
+		Resource: "nodeimages",
+	}).Update(ctx, obj, metav1.UpdateOptions{})
+}
+
+type kubeMeasurementsUpdater struct {
+	client kubernetes.Interface
+}
+
+// getCurrent returns the cluster's expected measurements.
+func (u *kubeMeasurementsUpdater) getCurrent(ctx context.Context, name string) (*corev1.ConfigMap, error) {
+	return u.client.CoreV1().ConfigMaps(constants.ConstellationNamespace).Get(ctx, name, metav1.GetOptions{})
+}
+
+// update updates the cluster's expected measurements in Kubernetes.
+func (u *kubeMeasurementsUpdater) update(ctx context.Context, configMap *corev1.ConfigMap) (*corev1.ConfigMap, error) {
+	return u.client.CoreV1().ConfigMaps(constants.ConstellationNamespace).Update(ctx, configMap, metav1.UpdateOptions{})
+}

cli/internal/cloudcmd/upgrade_test.go

@@ -0,0 +1,234 @@
+package cloudcmd
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"testing"
+
+	"github.com/edgelesssys/constellation/internal/constants"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+func TestUpdateMeasurements(t *testing.T) {
+	someErr := errors.New("error")
+	testCases := map[string]struct {
+		updater         *stubMeasurementsUpdater
+		newMeasurements map[uint32][]byte
+		wantUpdate      bool
+		wantErr         bool
+	}{
+		"success": {
+			updater: &stubMeasurementsUpdater{
+				oldMeasurements: &corev1.ConfigMap{
+					Data: map[string]string{
+						constants.MeasurementsFilename: `{"0":"AAAAAA=="}`,
+					},
+				},
+			},
+			newMeasurements: map[uint32][]byte{
+				0: []byte("1"),
+			},
+			wantUpdate: true,
+		},
+		"measurements are the same": {
+			updater: &stubMeasurementsUpdater{
+				oldMeasurements: &corev1.ConfigMap{
+					Data: map[string]string{
+						constants.MeasurementsFilename: `{"0":"MQ=="}`,
+					},
+				},
+			},
+			newMeasurements: map[uint32][]byte{
+				0: []byte("1"),
+			},
+		},
+		"getCurrent error": {
+			updater: &stubMeasurementsUpdater{getErr: someErr},
+			wantErr: true,
+		},
+		"update error": {
+			updater: &stubMeasurementsUpdater{
+				oldMeasurements: &corev1.ConfigMap{
+					Data: map[string]string{
+						constants.MeasurementsFilename: `{"0":"AAAAAA=="}`,
+					},
+				},
+				updateErr: someErr,
+			},
+			wantErr: true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+
+			upgrader := &Upgrader{
+				measurementsUpdater: tc.updater,
+				writer:              &bytes.Buffer{},
+			}
+
+			err := upgrader.updateMeasurements(context.Background(), tc.newMeasurements)
+			if tc.wantErr {
+				assert.ErrorIs(err, someErr)
+				return
+			}
+
+			assert.NoError(err)
+			if tc.wantUpdate {
+				newMeasurementsJSON, err := json.Marshal(tc.newMeasurements)
+				require.NoError(t, err)
+				assert.JSONEq(string(newMeasurementsJSON), tc.updater.updatedMeasurements.Data[constants.MeasurementsFilename])
+			} else {
+				assert.Nil(tc.updater.updatedMeasurements)
+			}
+		})
+	}
+}
+
+type stubMeasurementsUpdater struct {
+	oldMeasurements     *corev1.ConfigMap
+	updatedMeasurements *corev1.ConfigMap
+	getErr              error
+	updateErr           error
+}
+
+func (u *stubMeasurementsUpdater) getCurrent(context.Context, string) (*corev1.ConfigMap, error) {
+	return u.oldMeasurements, u.getErr
+}
+
+func (u *stubMeasurementsUpdater) update(_ context.Context, updatedMeasurements *corev1.ConfigMap) (*corev1.ConfigMap, error) {
+	u.updatedMeasurements = updatedMeasurements
+	return nil, u.updateErr
+}
+
+func TestUpdateImage(t *testing.T) {
+	someErr := errors.New("error")
+	testCases := map[string]struct {
+		updater    *stubImageUpdater
+		newImage   string
+		wantUpdate bool
+		wantErr    bool
+	}{
+		"success": {
+			updater: &stubImageUpdater{
+				setImage: &unstructured.Unstructured{
+					Object: map[string]interface{}{
+						"spec": map[string]interface{}{
+							"image": "old-image",
+						},
+					},
+				},
+			},
+			newImage:   "new-image",
+			wantUpdate: true,
+		},
+		"image is the same": {
+			updater: &stubImageUpdater{
+				setImage: &unstructured.Unstructured{
+					Object: map[string]interface{}{
+						"spec": map[string]interface{}{
+							"image": "old-image",
+						},
+					},
+				},
+			},
+			newImage: "old-image",
+		},
+		"getCurrent error": {
+			updater: &stubImageUpdater{getErr: someErr},
+			wantErr: true,
+		},
+		"update error": {
+			updater: &stubImageUpdater{
+				setImage: &unstructured.Unstructured{
+					Object: map[string]interface{}{
+						"spec": map[string]interface{}{
+							"image": "old-image",
+						},
+					},
+				},
+				updateErr: someErr,
+			},
+			newImage: "new-image",
+			wantErr:  true,
+		},
+		"no spec": {
+			updater: &stubImageUpdater{
+				setImage: &unstructured.Unstructured{
+					Object: map[string]interface{}{},
+				},
+			},
+			newImage: "new-image",
+			wantErr:  true,
+		},
+		"not a map": {
+			updater: &stubImageUpdater{
+				setImage: &unstructured.Unstructured{
+					Object: map[string]interface{}{
+						"spec": "not a map",
+					},
+				},
+			},
+			newImage: "new-image",
+			wantErr:  true,
+		},
+		"no spec.image": {
+			updater: &stubImageUpdater{
+				setImage: &unstructured.Unstructured{
+					Object: map[string]interface{}{
+						"spec": map[string]interface{}{},
+					},
+				},
+			},
+			newImage: "new-image",
+			wantErr:  true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+
+			upgrader := &Upgrader{
+				imageUpdater: tc.updater,
+				writer:       &bytes.Buffer{},
+			}
+
+			err := upgrader.updateImage(context.Background(), tc.newImage)
+
+			if tc.wantErr {
+				assert.Error(err)
+				return
+			}
+
+			assert.NoError(err)
+			if tc.wantUpdate {
+				assert.Equal(tc.newImage, tc.updater.updatedImage.Object["spec"].(map[string]interface{})["image"])
+			} else {
+				assert.Nil(tc.updater.updatedImage)
+			}
+		})
+	}
+}
+
+type stubImageUpdater struct {
+	setImage     *unstructured.Unstructured
+	updatedImage *unstructured.Unstructured
+	getErr       error
+	updateErr    error
+}
+
+func (u *stubImageUpdater) getCurrent(ctx context.Context, name string) (*unstructured.Unstructured, error) {
+	return u.setImage, u.getErr
+}
+
+func (u *stubImageUpdater) update(_ context.Context, updatedImage *unstructured.Unstructured) (*unstructured.Unstructured, error) {
+	u.updatedImage = updatedImage
+	return nil, u.updateErr
+}

cli/internal/cmd/upgrade.go

@@ -0,0 +1,19 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// NewUpgradeCmd returns a new cobra.Command for the upgrade command.
+func NewUpgradeCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "upgrade",
+		Short: "Plan and perform an upgrade of a Constellation cluster",
+		Long:  "Plan and perform an upgrade of a Constellation cluster.",
+		Args:  cobra.ExactArgs(0),
+	}
+
+	cmd.AddCommand(newUpgradeExecuteCmd())
+
+	return cmd
+}

cli/internal/cmd/upgradeexecute.go

@@ -0,0 +1,53 @@
+package cmd
+
+import (
+	"context"
+
+	"github.com/edgelesssys/constellation/cli/internal/cloudcmd"
+	"github.com/edgelesssys/constellation/internal/config"
+	"github.com/edgelesssys/constellation/internal/file"
+	"github.com/spf13/afero"
+	"github.com/spf13/cobra"
+)
+
+func newUpgradeExecuteCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "execute",
+		Short: "Execute an upgrade of a Constellation cluster",
+		Long:  "Execute an upgrade of a Constellation cluster by applying the chosen configuration.",
+		Args:  cobra.NoArgs,
+		RunE:  runUpgradeExecute,
+	}
+
+	return cmd
+}
+
+func runUpgradeExecute(cmd *cobra.Command, args []string) error {
+	fileHandler := file.NewHandler(afero.NewOsFs())
+	upgrader, err := cloudcmd.NewUpgrader(cmd.OutOrStdout())
+	if err != nil {
+		return err
+	}
+
+	return upgradeExecute(cmd, upgrader, fileHandler)
+}
+
+func upgradeExecute(cmd *cobra.Command, upgrader cloudUpgrader, fileHandler file.Handler) error {
+	configPath, err := cmd.Flags().GetString("config")
+	if err != nil {
+		return err
+	}
+	config, err := config.FromFile(fileHandler, configPath)
+	if err != nil {
+		return err
+	}
+
+	// TODO: validate upgrade config? Should be basic things like checking image is not an empty string
+	// More sophisticated validation, like making sure we don't downgrade the cluster, should be done by `constellation upgrade plan`
+
+	return upgrader.Upgrade(cmd.Context(), config.Upgrade.Image, config.Upgrade.Measurements)
+}
+
+type cloudUpgrader interface {
+	Upgrade(ctx context.Context, image string, measurements map[uint32][]byte) error
+}

cli/internal/cmd/upgradeexecute_test.go

@@ -0,0 +1,56 @@
+package cmd
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/edgelesssys/constellation/internal/config"
+	"github.com/edgelesssys/constellation/internal/constants"
+	"github.com/edgelesssys/constellation/internal/file"
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestUpgradeExecute(t *testing.T) {
+	testCases := map[string]struct {
+		upgrader stubUpgrader
+		wantErr  bool
+	}{
+		"success": {
+			upgrader: stubUpgrader{},
+		},
+		"upgrade error": {
+			upgrader: stubUpgrader{err: errors.New("error")},
+			wantErr:  true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+			require := require.New(t)
+			cmd := newUpgradeExecuteCmd()
+			cmd.Flags().String("config", constants.ConfigFilename, "") // register persistent flag manually
+
+			handler := file.NewHandler(afero.NewMemMapFs())
+			require.NoError(handler.WriteYAML(constants.ConfigFilename, config.Default()))
+
+			err := upgradeExecute(cmd, tc.upgrader, handler)
+			if tc.wantErr {
+				assert.Error(err)
+			} else {
+				assert.NoError(err)
+			}
+		})
+	}
+}
+
+type stubUpgrader struct {
+	err error
+}
+
+func (u stubUpgrader) Upgrade(context.Context, string, map[uint32][]byte) error {
+	return u.err
+}