Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2026-01-05 17:55:32 -05:00
Code Issues Projects Releases Packages Wiki Activity

Add docs to repo (#38)

Browse source
This commit is contained in:
Moritz Eckert 2022-09-02 11:52:42 +02:00 committed by GitHub
parent 50d3f3ca7f
commit b95f3dbc91
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
180 changed files with 13401 additions and 67 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.github/docs/README.md vendored
View file

@ -85,7 +85,12 @@ az ad sp create-for-rbac --name "github-actions-e2e-tests" --role contributor --
az role assignment create --role "User Access Administrator" --scope /subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435 --assignee <SERVICE_PRINCIPAL_CLIENT_ID>
```
Next, [add API permissions to Managed Identity](https://github.com/edgelesssys/wiki/blob/master/other_tech/azure.md#adding-api-permission-to-managed-identity)
Next, add API permissions to Managed Identity:
* Not possible through portal; requires PowerShell
* <https://techcommunity.microsoft.com/t5/integrations-on-azure-blog/grant-graph-api-permission-to-managed-identity-object/ba-p/2792127>
* `$GraphAppId` in this article is for Microsoft Graph. Azure AD Graph is `00000002-0000-0000-c000-000000000000`
* Note that changing permissions can take between few seconds to several hours
Store output of `az ad sp ...` in [GitHub Action Secret](https://github.com/edgelesssys/constellation/settings/secrets/actions) or create a local secret file for act to consume.

46
.github/docs/release.md vendored Normal file
View file

@ -0,0 +1,46 @@
# Release Checklist
This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers accordingly.
1. Merge ready PRs
2. Create a new branch `release/v1.3.0` to prepare the following things:
1. Use [Build micro-service manual](https://github.com/edgelesssys/constellation/actions/workflows/build-micro-service-manual.yml) and run the pipeline once for each micro-service with the following parameters:
* branch: `release/v1.3.0`
* Container image tag: `v1.3.0`
* Version of the image to build: `1.3.0`
```sh
# Alternative from CLI
gh workflow run build-micro-service-manual.yml --ref release/v1.3.0 -F microService=access-manager -F imageTag=v1.3.0 -F version=1.3.0
gh workflow run build-micro-service-manual.yml --ref release/v1.3.0 -F microService=join-service -F imageTag=v1.3.0 -F version=1.3.0
gh workflow run build-micro-service-manual.yml --ref release/v1.3.0 -F microService=kmsserver -F imageTag=v1.3.0 -F version=1.3.0
gh workflow run build-micro-service-manual.yml --ref release/v1.3.0 -F microService=verification-service -F imageTag=v1.3.0 -F version=1.3.0
```
2. Use [Build operator manual](https://github.com/edgelesssys/constellation/actions/workflows/build-operator-manual.yml) and run the pipeline once with the following parameters:
* branch: `release/v1.3.0`
* Container image tag: `v1.3.0`
```sh
# Alternative from CLI
gh workflow run build-operator-manual.yml --ref release/v1.3.0 -F imageTag=v1.3.0
```
3. Review and update changelog with all changes since last release. [GitHub's diff view](https://github.com/edgelesssys/constellation/compare/v1.2.0...main) helps a lot!
4. Update versions [versions.go](../../internal/versions/versions.go#L33-L39) to `v1.3.0` and **push your changes**.
5. Create a [production coreOS image](/.github/workflows/build-coreos.yml)
```sh
gh workflow run build-coreos.yml --ref release/v1.3.0 -F debug=false -F coreOSConfigBranch=constellation
```
6. Update [default images in config](/internal/config/images_enterprise.go)
7. Merge this branch back to `main`
3. Run E2E to confirm stability and [generate measurements](/.github/workflows/e2e-test-manual.yml)
```sh
gh workflow run e2e-test-manual.yml --ref main -F workerNodesCount=2 -F controlNodesCount=1 -F autoscale=false -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F sonobuoyTestSuiteCmd="--mode quick" -F kubernetesVersion=1.23 -F coreosImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/1.3.0 -F isDebugImage=false
gh workflow run e2e-test-manual.yml --ref main -F workerNodesCount=2 -F controlNodesCount=1 -F autoscale=false -F cloudProvider=gcp -F machineType=n2d-standard-4 -F sonobuoyTestSuiteCmd="--mode quick" -F kubernetesVersion=1.23 -F coreosImage=projects/constellation-images/global/images/constellation-v1-3-0 -F isDebugImage=false
```
4. Create a new tag in `constellation` on `main`
* `git tag v1.3.0`
* Run [Release CLI](https://github.com/edgelesssys/constellation/actions/workflows/release-cli.yml) action on the tag
```sh
gh workflow run release-cli.yml --ref v1.3.0
```
* The previous step will create a draft release. Check build output for link to draft release. Review & approve.
5. Create a new tag in `constellation-docs`
* `git tag v1.3.0`

98
.github/docs/upgrade-kubernetes.md vendored Normal file
View file

@ -0,0 +1,98 @@
# Upgrading Kubernetes
Constellation is a Kubernetes distribution and a sidecar. This means that the Kubernetes version is tracked in multiple places:
- Kubernetes linux binaries installed in the CoreOS image (`kubelet`, `kubectl`, `kubeadm`)
- The desired Kubernetes version deployed by `kubeadm init`
- Kubernetes resources (deployments made while initializing Kubernetes, including the `cloud-controller-manager`, `cluster-autoscaler` and more)
- Kubernetes go dependencies for the bootstrapper code
## Understand what has changed
Before changing the Kubernetes version, it is a very good idea to [read the release notes](https://kubernetes.io/releases/notes/) and to identify breaking changes.
## Prepare CoreOS images
CoreOS is the linux distribution that constellation is built on. The Kubernetes components are installed on CoreOS from [the official Kubernetes RPM sources](https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64).
The installed versions of `kubelet`, `kubeadm` and `kubectl` are pinned to a specific version by the [`manifest-lock.x86_64.json`](https://github.com/edgelesssys/constellation-fedora-coreos-config/blob/constellation/manifest-lock.x86_64.json) in the [`constellation-fedora-coreos-config` repository](https://github.com/edgelesssys/constellation-fedora-coreos-config):
```javascript
{
"packages": {
// [...]
"kubeadm": {
"evra": "1.23.1-0.x86_64"
},
"kubectl": {
"evra": "1.23.1-0.x86_64"
},
"kubelet": {
"evra": "1.23.1-0.x86_64"
},
// [...]
}
// [...]
}
```
New CoreOS images with the desired Kubernetes version should be prepared for testing/debugging and a PR should be opened.
## Upgrade the pinned Kubernetes version deployed by kubeadm
Kubeadm is the Kubernetes deployment tool used by constellation. During `kubeadm init`, a Kubernetes version is selected and installed. Using the flag `--kubernetes-version` or the `ClusterConfiguration` field `kubernetesVersion`, this version can be pinned.
To change this version, set the go constant in [`github.com/edgelesssys/constellation/internal/constants.KubernetesVersion`](/internal/constants/constants.go):
```go
const (
// [...]
// KubernetesVersion installed by kubeadm.
KubernetesVersion = "stable-1.23"
)
```
## Upgrading Kubernetes resources
During the cluster initialization, multiple Kubernetes resources are deployed. Some of these should be upgraded with Kubernetes.
Look at [the resources folder](/bootstrapper/internal/kubernetes/k8sapi/resources) and decide what needs to be upgraded. Cloud provider specific images are defined in [`github.com/edgelesssys/internal/versions`](/internal/versions/versions.go). You can check available version tags for container images using [the container registry tags API](https://docs.docker.com/registry/spec/api/#listing-image-tags):
```
curl -q https://k8s.gcr.io/v2/autoscaling/cluster-autoscaler/tags/list | jq .tags
curl -q https://k8s.gcr.io/v2/cloud-controller-manager/tags/list | jq .tags
curl -q https://us.gcr.io/v2/k8s-artifacts-prod/provider-aws/cloud-controller-manager/tags/list | jq .tags
curl -q https://mcr.microsoft.com/v2/oss/kubernetes/azure-cloud-controller-manager/tags/list | jq .tags
curl -q https://mcr.microsoft.com/v2/oss/kubernetes/azure-cloud-node-manager/tags/list | jq .tags
# [...]
```
## Upgrade go dependencies
The [`go.mod`](/go.mod) and [`go.sum`](/go.sum) files pin versions of the Kubernetes go packages. While these do not need to be on the exact versions used in the Kubernetes deployment, it is a good idea to keep them updated and on a similar version.
Upgrade Kubernetes go dependencies by changing the versions of all packages in the `k8s.io` namespace from the old version to the new version in [`go.mod`](/go.mod) and run `go mod tidy`. Ensure that there are no other conflicts and test your changes.
See the diff of [this PR](https://github.com/edgelesssys/constellation/pull/110) as an example of updating the go dependencies.
## Test the new Kubernetes version
- Setup a Constellation cluster using the new image with the new bootstrapper binary and check if Kubernetes is deployed successfully.
```
# should print the new k8s version for every node
kubectl get nodes -o wide
# read the logs for pods deployed in the kube-system namespace and ensure they are healthy
kubectl -n kube-system get pods
kubectl -n kube-system logs [...]
kubectl -n kube-system describe pods
```
- Read the logs of the main Kubernetes components by getting a shell on the nodes and scan for errors / deprecation warnings:
```
journalctl -u kubelet
journalctl -u containerd
```
- Conduct e2e tests
- [Run the sonobuoy test suite against your branch](https://sonobuoy.io/)
- [Run CI e2e tests](/.github/docs/README.md)