Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-09-16 14:32:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci: reduce amount of regular tests (#2885)

Browse Source 
* .github: add e2e test to pr checklist

* ci: use sonobuoy quick where possible

* ci: run malicious join test on release

* ci: remove self managed infra test

* ci: remove non-example terraform test from weekly

* ci: run Sonobuoy full on the latest k8s version weekly

* ci: run weekly sonobuoy quick on all k8s versions

* ci: don't run double sonobuoy tests on latest k8s version
This commit is contained in:
Moritz Sanft 2024-02-01 15:05:07 +01:00 committed by GitHub
parent befc7cdf63
commit d5e4435e3d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
13 changed files with 42 additions and 327 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/actions/cdbg_deploy/action.yml vendored
View File

@ -24,7 +24,7 @@ inputs:
description: "The refStream of the image the test runs on."
required: true
clusterCreation:
description: "How the infrastructure for the e2e test was created. One of [cli, self-managed, terraform]."
description: "How the infrastructure for the e2e test was created. One of [cli, terraform]."
default: "cli"
runs:

10
.github/actions/constellation_create/action.yml vendored
View File

@ -54,7 +54,7 @@ inputs:
description: "Whether to use an internal load balancer for the control plane"
required: false
clusterCreation:
description: "How to create infrastructure for the e2e test. One of [cli, self-managed, terraform]."
description: "How to create infrastructure for the e2e test. One of [cli, terraform]."
default: "cli"
marketplaceImageVersion:
description: "Marketplace OS image version. Used instead of osImage."
@ -161,18 +161,10 @@ runs:
sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts' || true
- name: Constellation create (CLI)
if : inputs.clusterCreation != 'self-managed'
shell: bash
run: |
constellation apply --skip-phases=init,attestationconfig,certsans,helm,image,k8s -y --debug --tf-log=DEBUG
- name: Constellation create (self-managed)
if : inputs.clusterCreation == 'self-managed'
uses: ./.github/actions/self_managed_create
with:
cloudProvider: ${{ inputs.cloudProvider }}
attestationVariant: ${{ inputs.attestationVariant }}
- name: Cdbg deploy
if: inputs.isDebugImage == 'true'
uses: ./.github/actions/cdbg_deploy

13
.github/actions/constellation_destroy/action.yml vendored
View File

@ -6,7 +6,7 @@ inputs:
description: "The kubeconfig for the cluster."
required: true
clusterCreation:
description: "How the infrastructure for the e2e test was created. One of [cli, self-managed, terraform]."
description: "How the infrastructure for the e2e test was created. One of [cli, terraform]."
default: "cli"
gcpClusterDeleteServiceAccount:
description: "Service account with permissions to delete a Constellation cluster on GCP."
@ -72,18 +72,7 @@ runs:
azure_credentials: ${{ inputs.azureClusterDeleteCredentials }}
- name: Constellation terminate
if: inputs.clusterCreation != 'self-managed'
shell: bash
run: |
constellation terminate --yes --tf-log=DEBUG
- name: Constellation terminate (self-managed)
if: inputs.clusterCreation == 'self-managed'
shell: bash
working-directory: ${{ github.workspace }}/e2e-infra
run: |
terraform init
terraform destroy -auto-approve
rm -f ${{ github.workspace }}/constellation-state.yaml
rm -f ${{ github.workspace }}/constellation-admin.conf

2
.github/actions/deploy_logcollection/action.yml vendored
View File

@ -33,7 +33,7 @@ inputs:
description: "Kubernetes version of the cluster"
required: false
clusterCreation:
description: "How the infrastructure for the e2e test was created. One of [cli, self-managed, terraform]."
description: "How the infrastructure for the e2e test was created. One of [cli, terraform]."
default: "cli"
runs:

2
.github/actions/e2e_test/action.yml vendored
View File

@ -77,7 +77,7 @@ inputs:
internalLoadBalancer:
description: "Enable internal load balancer for the cluster."
clusterCreation:
description: "How to create infrastructure for the e2e test. One of [cli, self-managed, terraform]."
description: "How to create infrastructure for the e2e test. One of [cli,, terraform]."
default: "cli"
s3AccessKey:
description: "Access key for s3proxy"

2
.github/actions/notify_e2e_failure/action.yml vendored
View File

@ -21,7 +21,7 @@ inputs:
description: "Kubernetes version"
required: false
clusterCreation:
description: "How the infrastructure for the e2e test was created. One of [cli, self-managed, terraform]."
description: "How the infrastructure for the e2e test was created. One of [cli, terraform]."
required: false
runs:

113
.github/actions/self_managed_create/action.yml vendored
View File

@ -1,113 +0,0 @@
name: Self-managed infrastructure creation
description: "Create the required infrastructure for a Constellation cluster manually."
inputs:
cloudProvider:
description: "The cloud provider the test runs on."
required: true
attestationVariant:
description: "The attestation variant to use."
required: true
runs:
using: "composite"
steps:
- name: Copy Terraform configuration and Constellation config
shell: bash
working-directory:
run: |
cp -r ${{ github.workspace }}/terraform/infrastructure/${{ inputs.cloudProvider }} ${{ github.workspace }}/e2e-infra
cp ${{ github.workspace }}/constellation-conf.yaml ${{ github.workspace }}/e2e-infra
- name: Get CSP image reference
id: get_image
shell: bash
working-directory: ${{ github.workspace }}/e2e-infra
run: |
echo "image_ref=$(bazel run //hack/image-fetch:image-fetch)" >> $GITHUB_OUTPUT
- name: Write Terraform variables
shell: bash
working-directory: ${{ github.workspace }}/e2e-infra
run: |
echo "name = \"$(yq '.name' constellation-conf.yaml)\"" >> terraform.tfvars
echo "debug = $(yq '.debugCluster' constellation-conf.yaml)" >> terraform.tfvars
echo "custom_endpoint = \"$(yq '.customEndpoint' constellation-conf.yaml)\"" >> terraform.tfvars
echo "image_id = \"${{ steps.get_image.outputs.image_ref }}\"" >> terraform.tfvars
echo "node_groups = {
control_plane_default = {
role = \"$(yq '.nodeGroups.control_plane_default.role' constellation-conf.yaml)\"
zone = \"$(yq '.nodeGroups.control_plane_default.zone' constellation-conf.yaml)\"
instance_type = \"$(yq '.nodeGroups.control_plane_default.instanceType' constellation-conf.yaml)\"
disk_size = \"$(yq '.nodeGroups.control_plane_default.stateDiskSizeGB' constellation-conf.yaml)\"
disk_type = \"$(yq '.nodeGroups.control_plane_default.stateDiskType' constellation-conf.yaml)\"
initial_count = \"$(yq '.nodeGroups.control_plane_default.initialCount' constellation-conf.yaml)\"
}
worker_default = {
role = \"$(yq '.nodeGroups.worker_default.role' constellation-conf.yaml)\"
zone = \"$(yq '.nodeGroups.worker_default.zone' constellation-conf.yaml)\"
instance_type = \"$(yq '.nodeGroups.worker_default.instanceType' constellation-conf.yaml)\"
disk_size = \"$(yq '.nodeGroups.worker_default.stateDiskSizeGB' constellation-conf.yaml)\"
disk_type = \"$(yq '.nodeGroups.worker_default.stateDiskType' constellation-conf.yaml)\"
initial_count = \"$(yq '.nodeGroups.worker_default.initialCount' constellation-conf.yaml)\"
}
}" >> terraform.tfvars
if [[ "${{ inputs.cloudProvider }}" == 'aws' ]]; then
echo "iam_instance_profile_name_control_plane = \"$(yq '.provider.aws.iamProfileControlPlane' constellation-conf.yaml)\"" >> terraform.tfvars
echo "iam_instance_profile_name_worker_nodes = \"$(yq '.provider.aws.iamProfileWorkerNodes' constellation-conf.yaml)\"" >> terraform.tfvars
echo "region = \"$(yq '.provider.aws.region' constellation-conf.yaml)\"" >> terraform.tfvars
echo "zone = \"$(yq '.provider.aws.zone' constellation-conf.yaml)\"" >> terraform.tfvars
echo "enable_snp = $(yq '.attestation | has("awsSEVSNP")' constellation-conf.yaml)" >> terraform.tfvars
elif [[ "${{ inputs.cloudProvider }}" == 'azure' ]]; then
echo "location = \"$(yq '.provider.azure.location' constellation-conf.yaml)\"" >> terraform.tfvars
echo "create_maa = $(yq '.attestation | has("azureSEVSNP")' constellation-conf.yaml)" >> terraform.tfvars
echo "confidential_vm = $(yq '.attestation | has("azureTrustedLaunch") | not' constellation-conf.yaml)" >> terraform.tfvars
echo "secure_boot = $(yq '.provider.azure.secureBoot' constellation-conf.yaml)" >> terraform.tfvars
echo "resource_group = \"$(yq '.provider.azure.resourceGroup' constellation-conf.yaml)\"" >> terraform.tfvars
echo "user_assigned_identity = \"$(yq '.provider.azure.userAssignedIdentity' constellation-conf.yaml)\"" >> terraform.tfvars
elif [[ "${{ inputs.cloudProvider }}" == 'gcp' ]]; then
echo "project = \"$(yq '.provider.gcp.project' constellation-conf.yaml)\"" >> terraform.tfvars
echo "region = \"$(yq '.provider.gcp.region' constellation-conf.yaml)\"" >> terraform.tfvars
echo "zone = \"$(yq '.provider.gcp.zone' constellation-conf.yaml)\"" >> terraform.tfvars
fi
terraform fmt terraform.tfvars
echo "Using Terraform variables:"
cat terraform.tfvars
- name: Apply Terraform configuration
shell: bash
working-directory: ${{ github.workspace }}/e2e-infra
run: |
terraform init
terraform apply -auto-approve
- name: Patch MAA Policy
shell: bash
working-directory: ${{ github.workspace }}/e2e-infra
if: inputs.attestationVariant == 'azure-sev-snp'
run: |
constellation maa-patch $(terraform output attestation_url | jq -r)
- name: Write outputs to state file
shell: bash
working-directory: ${{ github.workspace }}/e2e-infra
run: |
yq eval '.version ="v1"' --inplace ${{ github.workspace }}/constellation-state.yaml
yq eval ".infrastructure.initSecret =\"$(terraform output init_secret | jq -r | tr -d '\n' | hexdump -ve '/1 "%02x"' && echo '')\"" --inplace ${{ github.workspace }}/constellation-state.yaml
yq eval ".infrastructure.clusterEndpoint =\"$(terraform output out_of_cluster_endpoint | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
yq eval ".infrastructure.inClusterEndpoint =\"$(terraform output in_cluster_endpoint | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
yq eval ".infrastructure.ipCidrNode =\"$(terraform output ip_cidr_node | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
yq eval ".infrastructure.uid =\"$(terraform output uid | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
yq eval ".infrastructure.name =\"$(terraform output name | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
yq eval ".infrastructure.apiServerCertSANs =$(terraform output -json api_server_cert_sans)" --inplace ${{ github.workspace }}/constellation-state.yaml
if [[ "${{ inputs.cloudProvider }}" == 'azure' ]]; then
yq eval ".infrastructure.azure.resourceGroup =\"$(terraform output resource_group | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
yq eval ".infrastructure.azure.subscriptionID =\"$(terraform output subscription_id | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
yq eval ".infrastructure.azure.networkSecurityGroupName =\"$(terraform output network_security_group_name | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
yq eval ".infrastructure.azure.loadBalancerName =\"$(terraform output loadbalancer_name | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
yq eval ".infrastructure.azure.userAssignedIdentity =\"$(terraform output user_assigned_identity_client_id | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
yq eval ".infrastructure.azure.attestationURL =\"$(terraform output attestation_url | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
elif [[ "${{ inputs.cloudProvider }}" == 'gcp' ]]; then
yq eval ".infrastructure.gcp.projectID =\"$(terraform output project | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
yq eval ".infrastructure.gcp.ipCidrPod =\"$(terraform output ip_cidr_pod | jq -r)\"" --inplace ${{ github.workspace }}/constellation-state.yaml
fi

1
.github/pull_request_template.md vendored
View File

@ -26,6 +26,7 @@ Feel free to edit, complete or extend this list while the PR is open.
### Checklist
<!-- Remove items that do not apply. For completed items, change [ ] to [x], or check after submitting. -->
<!-- more information in dev-docs/workflows/pull-request.md -->
- [ ] Run the E2E tests that are relevant to this PR's changes
- [ ] Update [docs](https://github.com/edgelesssys/constellation/tree/main/docs)
- [ ] Add labels (e.g., for changelog category)
- [ ] Is PR title adequate for changelog?

2
.github/workflows/e2e-test-daily.yml vendored
View File

@ -48,7 +48,7 @@ jobs:
kubernetesVersion: ["1.28"] # should be default
attestationVariant: ["gcp-sev-es", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"]
test: ["sonobuoy full"]
test: ["sonobuoy quick"]
runs-on: ubuntu-22.04
permissions:
id-token: write

45
.github/workflows/e2e-test-release.yml vendored
View File

@ -209,29 +209,6 @@ jobs:
runner: "ubuntu-22.04"
clusterCreation: "cli"
# self-managed infra test on latest k8s version
# runs Sonobuoy full test
- test: "sonobuoy full"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "self-managed"
- test: "sonobuoy full"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "self-managed"
- test: "sonobuoy full"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "self-managed"
- test: "sonobuoy full"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
runner: "ubuntu-22.04"
clusterCreation: "self-managed"
# s3proxy test on latest k8s version
- test: "s3proxy"
refStream: "ref/main/stream/debug/?"
@ -240,6 +217,28 @@ jobs:
runner: "ubuntu-22.04"
clusterCreation: "cli"
# malicious join test on latest k8s version
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
#
# Tests on macOS runner
#

89
.github/workflows/e2e-test-self-managed.yml vendored
View File

@ -1,89 +0,0 @@
name: e2e test self managed infrastructure
on:
workflow_dispatch:
inputs:
nodeCount:
description: "Number of nodes to use in the cluster. Given in format `<control-plane nodes>:<worker nodes>`."
default: "3:2"
type: string
attestationVariant:
description: "Which attestation variant to use."
type: choice
options:
- "gcp-sev-es"
- "azure-sev-snp"
- "azure-tdx"
- "aws-sev-snp"
default: "azure-sev-snp"
required: true
runner:
description: "Architecture of the runner that executes the CLI"
type: choice
options:
- "ubuntu-22.04"
- "macos-12"
default: "ubuntu-22.04"
test:
description: "The test to run."
type: choice
options:
- "sonobuoy quick"
- "sonobuoy full"
- "autoscaling"
- "lb"
- "perf-bench"
- "verify"
- "recover"
- "malicious join"
- "nop"
required: true
kubernetesVersion:
description: "Kubernetes version to create the cluster from."
default: "1.28"
required: true
cliVersion:
description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
type: string
default: ""
required: false
imageVersion:
description: "Full name of OS image (CSP independent image version UID). Leave empty for latest debug image on main."
type: string
default: ""
required: false
machineType:
description: "Override VM machine type. Leave as 'default' or empty to use the default VM type for the selected cloud provider."
type: string
default: "default"
required: false
regionZone:
description: "Region or zone to create the cluster in. Leave empty for default region/zone."
type: string
git-ref:
description: "Git ref to checkout."
type: string
default: "head"
required: false
jobs:
e2e-test:
permissions:
id-token: write
checks: write
contents: read
packages: write
secrets: inherit
uses: ./.github/workflows/e2e-test.yml
with:
nodeCount: ${{ inputs.nodeCount }}
attestationVariant: ${{ inputs.attestationVariant }}
runner: ${{ inputs.runner }}
test: ${{ inputs.test }}
kubernetesVersion: ${{ inputs.kubernetesVersion }}
cliVersion: ${{ inputs.cliVersion }}
imageVersion: ${{ inputs.imageVersion }}
machineType: ${{ inputs.machineType }}
regionZone: ${{ inputs.regionZone }}
git-ref: ${{ inputs.git-ref }}
clusterCreation: "self-managed"

86
.github/workflows/e2e-test-weekly.yml vendored
View File

@ -51,7 +51,7 @@ jobs:
# Tests on main-debug refStream
#
# sonobuoy full test on all k8s versions
# Sonobuoy full test on latest k8s version
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-es"
@ -73,48 +73,50 @@ jobs:
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "sonobuoy full"
# Sonobuoy quick test on all but the latest k8s versions
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "sonobuoy full"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "sonobuoy full"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "sonobuoy full"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.28"
clusterCreation: "cli"
- test: "sonobuoy full"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.27"
clusterCreation: "cli"
- test: "sonobuoy full"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.27"
clusterCreation: "cli"
- test: "sonobuoy full"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.27"
clusterCreation: "cli"
- test: "sonobuoy full"
- test: "sonobuoy quick"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.27"
clusterCreation: "cli"
# verify test on latest k8s version
- test: "verify"
refStream: "ref/main/stream/debug/?"
@ -222,72 +224,6 @@ jobs:
# kubernetes-version: "v1.29"
# clusterCreation: "cli"
# malicious join test on latest k8s version
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
clusterCreation: "cli"
- test: "malicious join"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "cli"
# self-managed infra test on latest k8s version
# with Sonobuoy full
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "self-managed"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "self-managed"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
clusterCreation: "self-managed"
- test: "sonobuoy full"
attestationVariant: "aws-sev-snp"
refStream: "ref/main/stream/debug/?"
kubernetes-version: "v1.29"
clusterCreation: "self-managed"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "gcp-sev-es"
kubernetes-version: "v1.29"
clusterCreation: "terraform"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "terraform"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "azure-tdx"
kubernetes-version: "v1.29"
clusterCreation: "terraform"
- test: "sonobuoy full"
refStream: "ref/main/stream/debug/?"
attestationVariant: "aws-sev-snp"
kubernetes-version: "v1.29"
clusterCreation: "terraform"
# s3proxy test on latest k8s version
- test: "s3proxy"
refStream: "ref/main/stream/debug/?"

2
.github/workflows/e2e-test.yml vendored
View File

@ -114,7 +114,7 @@ on:
type: boolean
default: false
clusterCreation:
description: "How to create infrastructure for the e2e test. One of [cli, self-managed, terraform]."
description: "How to create infrastructure for the e2e test. One of [cli, terraform]."
type: string
default: "cli"
marketplaceImageVersion: