cleanup: various minor debugging improvements (#2889)

* ci: improve constellation_create error message

When we hit a timeout due to nodes not coming up, the actual error
message is hard to make out because it's buried in a group. With the
right formatting, the error message will be highlighted in the UI.

Another improvement is to output the state of nodes, which helps
debugging the cause of nodes not joining or not becoming ready.

* cleanup: use NodeVersionResourceName constant

... instead of literal strings.

* ci: correctly notify on e2e upgrade error

* atls: report cert extension OIDs on mismatch

If the certificate contains an attestation document for SEV-SNP, but the
given validator is for Nitro, verifyEmbeddedReport should not claim that
there is no attestation document, but that there is no _compatible_ one
and what the incompatible ones were.

.github/actions/constellation_create/action.yml

@@ -221,7 +221,9 @@ runs:
             sleep 30
         done
         if [[ $JOINWAIT -gt $JOINTIMEOUT ]]; then
-            echo "Timed out waiting for nodes to join"
+            kubectl get nodes -o wide
+            echo "::error::Timed out waiting for nodes to join"
+            echo "::endgroup::"
             exit 1
         fi
         echo "$(kubectl get nodes -o json | jq '.items | length')/"${NODES_COUNT}" nodes have joined"

.github/workflows/e2e-upgrade.yml

@@ -524,8 +524,7 @@ jobs:
       - name: Notify about failure
         if: |
           always() &&
-          needs.create-cluster.result != 'success' &&
-          needs.e2e-upgrade.result != 'success' &&
+          ( needs.create-cluster.result != 'success' || needs.e2e-upgrade.result != 'success' ) &&
           github.ref == 'refs/heads/main' &&
           inputs.scheduled
         continue-on-error: true

internal/atls/atls.go

@@ -200,6 +200,7 @@ func processCertificate(rawCerts [][]byte, _ [][]*x509.Certificate) (*x509.Certi
 
 // verifyEmbeddedReport verifies an aTLS certificate by validating the attestation document embedded in the TLS certificate.
 func verifyEmbeddedReport(validators []Validator, cert *x509.Certificate, hash, nonce []byte) error {
+	var exts []string
 	for _, ex := range cert.Extensions {
 		for _, validator := range validators {
 			if ex.Id.Equal(validator.OID()) {
@@ -216,9 +217,10 @@ func verifyEmbeddedReport(validators []Validator, cert *x509.Certificate, hash,
 				return nil
 			}
 		}
+		exts = append(exts, ex.Id.String())
 	}
 
-	return errors.New("certificate does not contain attestation document")
+	return fmt.Errorf("certificate does not contain compatible attestation documents: got extension OIDs %#v", exts)
 }
 
 func hashPublicKey(pub any) ([]byte, error) {

internal/constellation/kubecmd/kubecmd.go

@@ -303,7 +303,7 @@ func (k *KubeCmd) getConstellationVersion(ctx context.Context) (updatev1alpha1.N
 		Group:    "update.edgeless.systems",
 		Version:  "v1alpha1",
 		Resource: "nodeversions",
-	}, "constellation-version")
+	}, constants.NodeVersionResourceName)
 	if err != nil {
 		return updatev1alpha1.NodeVersion{}, err
 	}

joinservice/internal/server/server.go

@@ -197,7 +197,7 @@ func (s *Server) IssueRejoinTicket(ctx context.Context, req *joinproto.IssueRejo
 
 // getK8sComponentsConfigMapName reads the k8s components config map name from a VolumeMount that is backed by the k8s-version ConfigMap.
 func (s *Server) getK8sComponentsConfigMapName(ctx context.Context) (string, error) {
-	k8sComponentsRef, err := s.kubeClient.GetK8sComponentsRefFromNodeVersionCRD(ctx, "constellation-version")
+	k8sComponentsRef, err := s.kubeClient.GetK8sComponentsRefFromNodeVersionCRD(ctx, constants.NodeVersionResourceName)
 	if err != nil {
 		return "", fmt.Errorf("could not get k8s components config map name: %w", err)
 	}