todo responsibilities and cleanup (#1837)

* chore: add TODO responsibilities * chore: remove not needed TODOs * chore: remove outdated migrations * chore: remove resolved goleak exception * chore: remove not needed cosign env * config: add link to our Azure snp docs
2024-10-01 01:36:09 -04:00 · 2023-06-01 12:33:06 +02:00 · 2023-06-01 12:33:06 +02:00 · e0285c122e
commit e0285c122e
parent 0c13f3ed8d
31 changed files with 40 additions and 104 deletions
--- a/.github/actions/build_cli/action.yml
+++ b/.github/actions/build_cli/action.yml
@ -66,7 +66,7 @@ runs:
        export PATH="$PATH:$(dirname "${OUTPUT_PATH}")"
        echo "::endgroup::"

-    # TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial
+    # TODO(3u13r): Replace with https://github.com/sigstore/sigstore-installer/tree/initial
    # once it has the functionality
    - name: Install Cosign
      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
--- a/.github/actions/constellation_create/action.yml
+++ b/.github/actions/constellation_create/action.yml
@ -242,7 +242,6 @@ runs:
        echo "KUBECONFIG=$(pwd)/constellation-admin.conf" >> $GITHUB_OUTPUT
        echo "MASTERSECRET=$(pwd)/constellation-mastersecret.json" >> $GITHUB_OUTPUT

-    # TODO(nirusu): Temporarily increase kubectl wait timeout here - might be related to all the Cilium / cert-manager issues?
    - name: Wait for nodes to join and become ready
      shell: bash
      env:
--- a/.github/actions/container_sbom/action.yml
+++ b/.github/actions/container_sbom/action.yml
@ -27,7 +27,6 @@ runs:
    - name: Generate SBOM
      shell: bash
      env:
-        # COSIGN_EXPERIMENTAL: 1 # This breaks verification with HTTP 404
        COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
        COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
        COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
@ -37,7 +36,7 @@ runs:
        syft packages ${{ inputs.containerReference }} -o cyclonedx-json > container-image-predicate.json
        cosign attest ${{ inputs.containerReference }} --key env://COSIGN_PRIVATE_KEY --predicate container-image-predicate.json --type "https://cyclonedx.org/bom" > container-image.att.json
        cosign attach attestation ${{ inputs.containerReference }} --attestation container-image.att.json
-        # TODO: type should be auto-discovered after issue is resolved:
+        # TODO(3u13r): type should be auto-discovered after issue is resolved:
        # https://github.com/sigstore/cosign/issues/2264
        cosign verify-attestation ${{ inputs.containerReference }} --type "https://cyclonedx.org/bom" --key env://COSIGN_PUBLIC_KEY
        grype ${{ inputs.containerReference }} --fail-on high --only-fixed --add-cpes-if-none
--- a/.github/actions/e2e_test/action.yml
+++ b/.github/actions/e2e_test/action.yml
@ -266,7 +266,7 @@ runs:
      if: inputs.test == 'sonobuoy full'
      uses: ./.github/actions/e2e_sonobuoy
      with:
-        # TODO: Remove E2E_SKIP once AB#2174 is resolved
+        # TODO(3u13r): Remove E2E_SKIP once AB#2174 is resolved
        sonobuoyTestSuiteCmd: '--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml'
        kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
        artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
--- a/.github/workflows/build-ccm-gcp.yml
+++ b/.github/workflows/build-ccm-gcp.yml
@ -12,8 +12,9 @@ jobs:
    strategy:
      matrix:
        version: [v26.0.1]
-        # TODO: Once issue is closed upgrade older versions, rebuild, and update versions.go
+        # TODO(katexochen): Once issue is closed upgrade older versions, rebuild, and update versions.go
        # https://github.com/kubernetes/cloud-provider-gcp/issues/451
+        # Alternativly, they start to publish releases themselves and we can remove this workflow (see https://github.com/kubernetes/cloud-provider-gcp/issues/289).
        # version: [v26.0.1, v25.5.0, v24.0.0]
        include:
          - version: v26.0.1
--- a/.github/workflows/build-os-image.yml
+++ b/.github/workflows/build-os-image.yml
@ -222,7 +222,7 @@ jobs:
    name: "Build OS using mkosi"
    needs: [build-settings, build-dependencies]
    runs-on: ubuntu-22.04
-    # TODO: flatten outputs once possible
+    # TODO(malt3): flatten outputs once possible
    # https://github.com/community/community/discussions/17245
    outputs:
      image-raw-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-aws-aws-nitro-tpm-sha256 }}
--- a/3rdparty/bazel/com_github_google_go_tpm_tools/ms_tpm_20_ref.need
+++ b/3rdparty/bazel/com_github_google_go_tpm_tools/ms_tpm_20_ref.need
@ -204,7 +204,7 @@ cc_library(
        # "-D_CRYPT_HASH_C_",
        # "-D_X509_SPT_",
        # from internal/internal_cgo.go
-        # TODO: cleanup these flags
+        # TODO(malt3): cleanup these flags
        "-fno-delete-null-pointer-checks",
        "-fwrapv",
        "-fno-sanitize=all",  # relax sanitizer checks for this test-only dependency
--- a/bazel/oci/pin.bzl
+++ b/bazel/oci/pin.bzl
@ -154,7 +154,7 @@ oci_sum = rule(
 )

 def _oci_sum_merge_impl(ctx):
-    # TODO: select list of labels
+    # TODO(malt3): select list of labels
    inputs = ctx.files.sums
    output = ctx.actions.declare_file(ctx.label.name + ".sha256")
    args = [
--- a/bootstrapper/internal/kubernetes/k8sapi/k8sutil.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/k8sutil.go
@ -92,7 +92,7 @@ func (k *KubernetesUtil) InstallComponents(ctx context.Context, kubernetesCompon
 func (k *KubernetesUtil) InitCluster(
 	ctx context.Context, initConfig []byte, nodeName, clusterName string, ips []net.IP, controlPlaneEndpoint string, conformanceMode bool, log *logger.Logger,
 ) ([]byte, error) {
-	// TODO: audit policy should be user input
+	// TODO(3u13r): audit policy should be user input
 	auditPolicy, err := resources.NewDefaultAuditPolicy().Marshal()
 	if err != nil {
 		return nil, fmt.Errorf("generating default audit policy: %w", err)
@ -314,7 +314,7 @@ func (k *KubernetesUtil) FixCilium(ctx context.Context) error {

 // JoinCluster joins existing Kubernetes cluster using kubeadm join.
 func (k *KubernetesUtil) JoinCluster(ctx context.Context, joinConfig []byte, peerRole role.Role, controlPlaneEndpoint string, log *logger.Logger) error {
-	// TODO: audit policy should be user input
+	// TODO(3u13r): audit policy should be user input
 	auditPolicy, err := resources.NewDefaultAuditPolicy().Marshal()
 	if err != nil {
 		return fmt.Errorf("generating default audit policy: %w", err)
--- a/cli/internal/cloudcmd/create.go
+++ b/cli/internal/cloudcmd/create.go
@ -357,7 +357,7 @@ func normalizeAzureURIs(vars terraform.AzureClusterVariables) terraform.AzureClu
 }

 func (c *Creator) createOpenStack(ctx context.Context, cl terraformClient, opts CreateOptions) (idFile clusterid.File, retErr error) {
-	// TODO: Remove this once OpenStack is supported.
+	// TODO(malt3): Remove this once OpenStack is supported.
 	if os.Getenv("CONSTELLATION_OPENSTACK_DEV") != "1" {
 		return clusterid.File{}, errors.New("OpenStack isn't supported yet")
 	}
@ -417,7 +417,7 @@ func (c *Creator) createQEMU(ctx context.Context, cl terraformClient, lv libvirt
 	qemuRollbacker := &rollbackerQEMU{client: cl, libvirt: lv, createdWorkspace: false}
 	defer rollbackOnError(c.out, &retErr, qemuRollbacker, opts.TFLogLevel)

-	// TODO: render progress bar
+	// TODO(malt3): render progress bar
 	downloader := c.newRawDownloader()
 	imagePath, err := downloader.Download(ctx, c.out, false, opts.source, opts.Config.Image)
 	if err != nil {
--- a/cli/internal/cloudcmd/rollback.go
+++ b/cli/internal/cloudcmd/rollback.go
@ -29,7 +29,7 @@ func rollbackOnError(w io.Writer, onErr *error, roll rollbacker, logLevel terraf
 	fmt.Fprintf(w, "An error occurred: %s\n", *onErr)
 	fmt.Fprintln(w, "Attempting to roll back.")
 	if err := roll.rollback(context.Background(), logLevel); err != nil {
-		*onErr = errors.Join(*onErr, fmt.Errorf("on rollback: %w", err)) // TODO: print the error, or return it?
+		*onErr = errors.Join(*onErr, fmt.Errorf("on rollback: %w", err)) // TODO(katexochen): print the error, or return it?
 		return
 	}
 	fmt.Fprintln(w, "Rollback succeeded.")
--- a/cli/internal/cmd/upgradeapply.go
+++ b/cli/internal/cmd/upgradeapply.go
@ -278,7 +278,7 @@ type imageFetcher interface {
 func (u *upgradeApplyCmd) upgradeAttestConfigIfDiff(cmd *cobra.Command, newConfig config.AttestationCfg, flags upgradeApplyFlags) error {
 	clusterAttestationConfig, _, err := u.upgrader.GetClusterAttestationConfig(cmd.Context(), newConfig.GetVariant())
 	// Config migration from v2.7 to v2.8 requires us to skip comparing configs if the cluster is still using the legacy config.
-	// TODO: v2.9 Remove error type check and always run comparison.
+	// TODO(daniel-weisse): v2.9 Remove error type check and always run comparison.
 	if err != nil && !errors.Is(err, kubernetes.ErrLegacyJoinConfig) {
 		return fmt.Errorf("getting cluster measurements: %w", err)
 	}
--- a/cli/internal/helm/client.go
+++ b/cli/internal/helm/client.go
@ -425,7 +425,7 @@ type crdClient interface {
 	ApplyCRD(ctx context.Context, rawCRD []byte) error
 	GetCRDs(ctx context.Context) ([]apiextensionsv1.CustomResourceDefinition, error)
 	GetCRs(ctx context.Context, gvr schema.GroupVersionResource) ([]unstructured.Unstructured, error)
-	DeleteStorageClass(ctx context.Context, name string) error // TODO: remove with v2.9
+	DeleteStorageClass(ctx context.Context, name string) error // TODO(daniel-weisse): remove with v2.9
 }

 type actionWrapper interface {
--- a/cli/internal/kubernetes/upgrade.go
+++ b/cli/internal/kubernetes/upgrade.go
@ -47,7 +47,7 @@ import (
 var ErrInProgress = errors.New("upgrade in progress")

 // ErrLegacyJoinConfig signals that a legacy join-config was found.
-// TODO: v2.9 remove.
+// TODO(daniel-weisse): v2.9 remove.
 var ErrLegacyJoinConfig = errors.New("legacy join-config with missing attestationConfig found")

 // GetConstellationVersion queries the constellation-version object for a given field.
@ -304,7 +304,7 @@ func (u *Upgrader) GetClusterAttestationConfig(ctx context.Context, variant vari
 		return nil, nil, fmt.Errorf("retrieving current attestation config: %w", err)
 	}
 	if _, ok := existingConf.Data[constants.AttestationConfigFilename]; !ok {
-		// TODO: v2.9 remove legacy config detection since it is only required for upgrades from v2.7
+		// TODO(daniel-weisse): v2.9 remove legacy config detection since it is only required for upgrades from v2.7
 		if _, ok := existingConf.Data["measurements"]; ok {
 			u.log.Debugf("Legacy join config detected, migrating to new config")
 			return nil, existingConf, ErrLegacyJoinConfig
@ -481,7 +481,7 @@ func (u *stableClient) kubernetesVersion() (string, error) {
 }

 // joinConfigMigration prepares a join-config ConfigMap for migration from v2.7 to v2.8.
-// TODO: v2.9: remove this function.
+// TODO(daniel-weisse): v2.9: remove this function.
 func joinConfigMigration(existingConf *corev1.ConfigMap, attestVariant variant.Variant) (config.AttestationCfg, *corev1.ConfigMap, error) {
 	m, ok := existingConf.Data["measurements"]
 	if !ok {
--- a/cli/internal/terraform/terraform/openstack/main.tf
+++ b/cli/internal/terraform/terraform/openstack/main.tf
@ -216,7 +216,7 @@ resource "openstack_compute_floatingip_associate_v2" "public_ip_associate" {
  ]
 }

-# TODO: get LoadBalancer API enabled in the test environment
+# TODO(malt3): get LoadBalancer API enabled in the test environment

 # resource "openstack_lb_loadbalancer_v2" "loadbalancer" {
 #   name          = local.name
--- a/cli/internal/terraform/terraform/openstack/modules/instance_group/main.tf
+++ b/cli/internal/terraform/terraform/openstack/modules/instance_group/main.tf
@ -13,7 +13,7 @@ locals {
  tags        = distinct(sort(concat(var.tags, ["constellation-role-${local.role_dashed}"])))
 }

-# TODO: get this API enabled in the test environment
+# TODO(malt3): get this API enabled in the test environment
 # resource "openstack_compute_servergroup_v2" "instance_group" {
 #   name = local.name
 #   policies = ["soft-anti-affinity"]
@ -26,7 +26,7 @@ resource "openstack_compute_instance_v2" "instance_group_member" {
  flavor_id       = var.flavor_id
  security_groups = var.security_groups
  tags            = local.tags
-  # TODO: get this API enabled in the test environment
+  # TODO(malt3): get this API enabled in the test environment
  # scheduler_hints {
  #   group = openstack_compute_servergroup_v2.instance_group.id
  # }
--- a/cli/internal/terraform/variables.go
+++ b/cli/internal/terraform/variables.go
@ -269,7 +269,7 @@ func (v *OpenStackClusterVariables) String() string {
 	return b.String()
 }

-// TODO: Add support for OpenStack IAM variables.
+// TODO(malt3): Add support for OpenStack IAM variables.

 // QEMUVariables is user configuration for creating a QEMU cluster with Terraform.
 type QEMUVariables struct {
--- a/debugd/internal/debugd/metadata/cloudprovider/cloudprovider.go
+++ b/debugd/internal/debugd/metadata/cloudprovider/cloudprovider.go
@ -97,10 +97,6 @@ func (f *Fetcher) DiscoverLoadbalancerIP(ctx context.Context) (string, error) {
 	}

 	// The port of the endpoint is not the port we need. We need to strip it off.
-	//
-	// TODO: Tag the specific load balancer we are looking for with a distinct tag.
-	// Change the GetLoadBalancerEndpoint method to return the endpoint of a load
-	// balancer with a given tag.
 	lbIP, _, err := net.SplitHostPort(lbEndpoint)
 	if err != nil {
 		return "", fmt.Errorf("parsing load balancer endpoint: %w", err)
--- a/docs/docs/workflows/sbom.md
+++ b/docs/docs/workflows/sbom.md
@ -68,7 +68,7 @@ This example considers only the `verification-service`. The same approach works
 :::

 <!--
-TODO: Once mkosi is implemented
+TODO(malt3): Once mkosi is implemented
 ## Operating System
 -->

--- a/image/mkosi.conf.d/mkosi.conf
+++ b/image/mkosi.conf.d/mkosi.conf
@ -12,7 +12,7 @@ SplitArtifacts=yes
 SecureBoot=yes
 SecureBootKey=pki/db.key
 SecureBootCertificate=pki/db.crt
-# TODO: Wait for systemd 252 to bring systemd-measure
+# TODO(malt3): Wait for systemd 252 to bring systemd-measure
 # Measure=yes
 ImageId=constellation
 Output=image.raw
--- a/internal/attestation/measurements/measurements.go
+++ b/internal/attestation/measurements/measurements.go
@ -17,7 +17,6 @@ import (
 	"bytes"
 	"context"
 	"crypto/sha256"
-	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
 	"errors"
@ -46,7 +45,7 @@ const (
 	PCRIndexClusterID = tpmutil.Handle(15)
 	// PCRIndexOwnerID is a PCR we extend to mark the node as initialized.
 	// The value used to extend is derived from Constellation's master key.
-	// TODO: move to stable, non-debug PCR before use.
+	// TODO(daniel-weisse): move to stable, non-debug PCR before use.
 	PCRIndexOwnerID = tpmutil.Handle(16)

 	// TDXIndexClusterID is the measurement used to mark the node as initialized.
@ -431,16 +430,7 @@ func (m Measurement) MarshalYAML() (any, error) {
 func (m *Measurement) unmarshal(eM encodedMeasurement) error {
 	expected, err := hex.DecodeString(eM.Expected)
 	if err != nil {
-		// expected value might be in base64 legacy format
-		// TODO: Remove with v2.4.0
-		hexErr := err
-		expected, err = base64.StdEncoding.DecodeString(eM.Expected)
-		if err != nil {
-			return errors.Join(
-				fmt.Errorf("invalid measurement: not a hex string %w", hexErr),
-				fmt.Errorf("not a base64 string: %w", err),
-			)
-		}
+		return fmt.Errorf("decoding measurement: %w", err)
 	}

 	if len(expected) != 32 && len(expected) != 48 {
--- a/internal/attestation/measurements/measurements_test.go
+++ b/internal/attestation/measurements/measurements_test.go
@ -80,18 +80,6 @@ func TestUnmarshal(t *testing.T) {
 		wantMeasurements M
 		wantErr          bool
 	}{
-		"valid measurements base64": {
-			inputYAML: "2:\n expected: \"/V3p3zUOO8RBCsBrv+XM3rk/U7nvUSOfdSzmnbxgDzU=\"\n3:\n expected: \"1aRJbSHeyaUljdsZxv61O7TTwEY/5gfySI3fTxAG754=\"",
-			inputJSON: `{"2":{"expected":"/V3p3zUOO8RBCsBrv+XM3rk/U7nvUSOfdSzmnbxgDzU="},"3":{"expected":"1aRJbSHeyaUljdsZxv61O7TTwEY/5gfySI3fTxAG754="}}`,
-			wantMeasurements: M{
-				2: {
-					Expected: []byte{253, 93, 233, 223, 53, 14, 59, 196, 65, 10, 192, 107, 191, 229, 204, 222, 185, 63, 83, 185, 239, 81, 35, 159, 117, 44, 230, 157, 188, 96, 15, 53},
-				},
-				3: {
-					Expected: []byte{213, 164, 73, 109, 33, 222, 201, 165, 37, 141, 219, 25, 198, 254, 181, 59, 180, 211, 192, 70, 63, 230, 7, 242, 72, 141, 223, 79, 16, 6, 239, 158},
-				},
-			},
-		},
 		"valid measurements hex": {
 			inputYAML: "2:\n expected: \"fd5de9df350e3bc4410ac06bbfe5ccdeb93f53b9ef51239f752ce69dbc600f35\"\n3:\n expected: \"d5a4496d21dec9a5258ddb19c6feb53bb4d3c0463fe607f2488ddf4f1006ef9e\"",
 			inputJSON: `{"2":{"expected":"fd5de9df350e3bc4410ac06bbfe5ccdeb93f53b9ef51239f752ce69dbc600f35"},"3":{"expected":"d5a4496d21dec9a5258ddb19c6feb53bb4d3c0463fe607f2488ddf4f1006ef9e"}}`,
@ -117,8 +105,8 @@ func TestUnmarshal(t *testing.T) {
 			},
 		},
 		"empty bytes": {
-			inputYAML: "2:\n expected: \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\"\n3:\n expected: \"AQIDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\"",
-			inputJSON: `{"2":{"expected":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="},"3":{"expected":"AQIDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="}}`,
+			inputYAML: "2:\n expected: \"0000000000000000000000000000000000000000000000000000000000000000\"\n3:\n expected: \"0102030400000000000000000000000000000000000000000000000000000000\"",
+			inputJSON: `{"2":{"expected":"0000000000000000000000000000000000000000000000000000000000000000"},"3":{"expected":"0102030400000000000000000000000000000000000000000000000000000000"}}`,
 			wantMeasurements: M{
 				2: {
 					Expected: []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
@ -133,18 +121,6 @@ func TestUnmarshal(t *testing.T) {
 			inputJSON: `{"2":{"expected":"This is not base64"},"3":{"expected":"AQIDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="}}`,
 			wantErr:   true,
 		},
-		"legacy format": {
-			inputYAML: "2: \"/V3p3zUOO8RBCsBrv+XM3rk/U7nvUSOfdSzmnbxgDzU=\"\n3: \"1aRJbSHeyaUljdsZxv61O7TTwEY/5gfySI3fTxAG754=\"",
-			inputJSON: `{"2":"/V3p3zUOO8RBCsBrv+XM3rk/U7nvUSOfdSzmnbxgDzU=","3":"1aRJbSHeyaUljdsZxv61O7TTwEY/5gfySI3fTxAG754="}`,
-			wantMeasurements: M{
-				2: {
-					Expected: []byte{253, 93, 233, 223, 53, 14, 59, 196, 65, 10, 192, 107, 191, 229, 204, 222, 185, 63, 83, 185, 239, 81, 35, 159, 117, 44, 230, 157, 188, 96, 15, 53},
-				},
-				3: {
-					Expected: []byte{213, 164, 73, 109, 33, 222, 201, 165, 37, 141, 219, 25, 198, 254, 181, 59, 180, 211, 192, 70, 63, 230, 7, 242, 72, 141, 223, 79, 16, 6, 239, 158},
-				},
-			},
-		},
 		"invalid length hex": {
 			inputYAML: "2:\n expected: \"fd5de9df350e3bc4410ac06bbfe5ccdeb93f53b9ef\"\n3:\n expected: \"d5a4496d21dec9a5258ddb19c6feb53bb4d3c0463f\"",
 			inputJSON: `{"2":{"expected":"fd5de9df350e3bc4410ac06bbfe5ccdeb93f53b9ef"},"3":{"expected":"d5a4496d21dec9a5258ddb19c6feb53bb4d3c0463f"}}`,
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -280,8 +280,7 @@ type AttestationConfig struct {
 	//   AWS Nitro TPM attestation.
 	AWSNitroTPM *AWSNitroTPM `yaml:"awsNitroTPM,omitempty" validate:"omitempty,dive"`
 	// description: |
-	//   Azure SEV-SNP attestation.\nSee our docs for more information on configurable values
-	//   TODO(AB#3071): add link after docs are written
+	//   Azure SEV-SNP attestation.\nFor details see: https://docs.edgeless.systems/constellation/architecture/attestation#cvm-verification
 	AzureSEVSNP *AzureSEVSNP `yaml:"azureSEVSNP,omitempty" validate:"omitempty,dive"`
 	// description: |
 	//   Azure TPM attestation (Trusted Launch).
--- a/internal/config/config_doc.go
+++ b/internal/config/config_doc.go
@ -434,8 +434,8 @@ func init() {
 	AttestationConfigDoc.Fields[1].Name = "azureSEVSNP"
 	AttestationConfigDoc.Fields[1].Type = "AzureSEVSNP"
 	AttestationConfigDoc.Fields[1].Note = ""
-	AttestationConfigDoc.Fields[1].Description = "Azure SEV-SNP attestation.\nSee our docs for more information on configurable values\nTODO(AB#3071): add link after docs are written"
-	AttestationConfigDoc.Fields[1].Comments[encoder.LineComment] = "Azure SEV-SNP attestation.\nSee our docs for more information on configurable values"
+	AttestationConfigDoc.Fields[1].Description = "Azure SEV-SNP attestation.\nFor details see: https://docs.edgeless.systems/constellation/architecture/attestation#cvm-verification"
+	AttestationConfigDoc.Fields[1].Comments[encoder.LineComment] = "Azure SEV-SNP attestation.\nFor details see: https://docs.edgeless.systems/constellation/architecture/attestation#cvm-verification"
 	AttestationConfigDoc.Fields[2].Name = "azureTrustedLaunch"
 	AttestationConfigDoc.Fields[2].Type = "AzureTrustedLaunch"
 	AttestationConfigDoc.Fields[2].Note = ""
--- a/internal/config/validation.go
+++ b/internal/config/validation.go
@ -391,26 +391,7 @@ func getPlaceholderEntries(m measurements.M) []uint32 {
 }

 func (c *Config) validateK8sVersion(fl validator.FieldLevel) bool {
-	// TODO: v2.7: do not create extendedVersion variable and directly validate field from fl.
-	// This patch is for compatibility with configs from v2.5 only. Configs specifying k8s
-	// the version as MAJOR.MINOR automatically get extended with the respective patch version.
-	configVersion := compatibility.EnsurePrefixV(fl.Field().String())
-	if !semver.IsValid(configVersion) {
-		return false
-	}
-
-	extendedVersion := K8sVersionFromMajorMinor(semver.MajorMinor(configVersion))
-	if extendedVersion == "" {
-		return false
-	}
-
-	valid := versions.IsSupportedK8sVersion(extendedVersion)
-	if !valid {
-		return false
-	}
-
-	c.KubernetesVersion = extendedVersion
-	return true
+	return versions.IsSupportedK8sVersion(compatibility.EnsurePrefixV(fl.Field().String()))
 }

 // K8sVersionFromMajorMinor takes a semver in format MAJOR.MINOR
--- a/internal/file/file_test.go
+++ b/internal/file/file_test.go
@ -207,7 +207,7 @@ func TestWriteJSON(t *testing.T) {
 			content: someContent,
 			options: OptMkdirAll,
 		},
-		// TODO: add tests for mkdirAll actually creating the necessary folders when https://github.com/spf13/afero/issues/270 is fixed.
+		// TODO(malt3): add tests for mkdirAll actually creating the necessary folders when https://github.com/spf13/afero/issues/270 is fixed.
 		// Currently, MemMapFs will create files in nonexistent directories due to a bug in afero,
 		// making it impossible to test the actual behavior of the mkdirAll parameter.
 	}
@ -369,7 +369,7 @@ func TestWriteYAML(t *testing.T) {
 			content: someContent,
 			options: OptMkdirAll,
 		},
-		// TODO: add tests for mkdirAll actually creating the necessary folders when https://github.com/spf13/afero/issues/270 is fixed.
+		// TODO(malt3): add tests for mkdirAll actually creating the necessary folders when https://github.com/spf13/afero/issues/270 is fixed.
 		// Currently, MemMapFs will create files in nonexistent directories due to a bug in afero,
 		// making it impossible to test the actual behavior of the mkdirAll parameter.
 	}
--- a/internal/kubernetes/kubectl/kubectl.go
+++ b/internal/kubernetes/kubectl/kubectl.go
@ -200,7 +200,7 @@ func (k *Kubectl) AddNodeSelectorsToDeployment(ctx context.Context, selectors ma
 }

 // DeleteStorageClass deletes the storage class with the given name.
-// TODO: Remove with v2.9.
+// TODO(daniel-weisse): Remove with v2.9.
 func (k *Kubectl) DeleteStorageClass(ctx context.Context, name string) error {
 	return k.StorageV1().StorageClasses().Delete(ctx, name, metav1.DeleteOptions{})
 }
--- a/internal/sigstore/rekor_integration_test.go
+++ b/internal/sigstore/rekor_integration_test.go
@ -18,10 +18,7 @@ import (
 )

 func TestMain(m *testing.M) {
-	goleak.VerifyTestMain(m,
-		// TODO: Remove once https://github.com/sigstore/rekor/issues/1094 resolved
-		goleak.IgnoreTopFunction("internal/poll.runtime_pollWait"),
-	)
+	goleak.VerifyTestMain(m)
 }

 func TestRekorSearchByHash(t *testing.T) {
--- a/internal/versions/versions.go
+++ b/internal/versions/versions.go
@ -143,7 +143,7 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
 		// Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md.
 		CloudNodeManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.25.14@sha256:b45bb9bfd30c0da34650f0992a91a77a7babe2b37d627b1a669f9485a5a47b5e", // renovate:container
 		// CloudControllerManagerImageGCP is the CCM image used on GCP.
-		// TODO: use newer "cloud-provider-gcp" from https://github.com/kubernetes/cloud-provider-gcp when newer releases are available.
+		// TODO(3u13r): use newer "cloud-provider-gcp" from https://github.com/kubernetes/cloud-provider-gcp when newer releases are available.
 		CloudControllerManagerImageGCP: "ghcr.io/edgelesssys/cloud-provider-gcp:v25.2.0@sha256:86fa9d31ed0b3d0d8806f13d6e7debd3471028b2cb7cca3a876d8a31612a7ba5", // renovate:container
 		// CloudControllerManagerImageOpenStack is the CCM image used on OpenStack.
 		CloudControllerManagerImageOpenStack: "docker.io/k8scloudprovider/openstack-cloud-controller-manager:v1.25.5", // renovate:container
@ -194,7 +194,7 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
 		// Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md.
 		CloudNodeManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.26.10@sha256:8affb69b608f34e2d691a55328d9af150299f35d2e4c21897d30c1bf6937a5a6", // renovate:container
 		// CloudControllerManagerImageGCP is the CCM image used on GCP.
-		// TODO: use newer "cloud-provider-gcp" from https://github.com/kubernetes/cloud-provider-gcp when newer releases are available.
+		// TODO(3u13r): use newer "cloud-provider-gcp" from https://github.com/kubernetes/cloud-provider-gcp when newer releases are available.
 		CloudControllerManagerImageGCP: "ghcr.io/edgelesssys/cloud-provider-gcp:v26.0.1@sha256:db2b15a20ad690784a6015bfad55c4dff15826be8cf9f6ac77d70abd11b1f70c", // renovate:container
 		// CloudControllerManagerImageOpenStack is the CCM image used on OpenStack.
 		CloudControllerManagerImageOpenStack: "docker.io/k8scloudprovider/openstack-cloud-controller-manager:v1.26.2", // renovate:container
@ -245,7 +245,7 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
 		// Check for newer versions at https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/README.md.
 		CloudNodeManagerImageAzure: "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.27.4@sha256:f4334277ece5db59c49fe919cde4bf564d2b3d6f80a50c6192ab7f309ac3a40c", // renovate:container
 		// CloudControllerManagerImageGCP is the CCM image used on GCP.
-		// TODO: use newer "cloud-provider-gcp" from https://github.com/kubernetes/cloud-provider-gcp when newer releases are available.
+		// TODO(3u13r): use newer "cloud-provider-gcp" from https://github.com/kubernetes/cloud-provider-gcp when newer releases are available.
 		CloudControllerManagerImageGCP: "ghcr.io/edgelesssys/cloud-provider-gcp:v26.0.1@sha256:db2b15a20ad690784a6015bfad55c4dff15826be8cf9f6ac77d70abd11b1f70c", // renovate:container
 		// CloudControllerManagerImageOpenStack is the CCM image used on OpenStack.
 		CloudControllerManagerImageOpenStack: "docker.io/k8scloudprovider/openstack-cloud-controller-manager:v1.26.2", // renovate:container
--- a/operators/constellation-node-operator/controllers/pendingnode_controller.go
+++ b/operators/constellation-node-operator/controllers/pendingnode_controller.go
@ -134,7 +134,7 @@ func (r *PendingNodeReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return ctrl.Result{Requeue: true}, nil
 	case updatev1alpha1.NodeGoalLeave:
 		logr.Info("Node was not terminated on time", "pendingNodeGoal", pendingNode.Spec.Goal, "cspNodeState", nodeState)
-		// TODO: decide if other actions should be taken here (e.g. send another request to delete node)
+		// TODO(malt3): decide if other actions should be taken here (e.g. send another request to delete node)
 		return ctrl.Result{RequeueAfter: defaultCheckInterval}, nil
 	}

--- a/operators/constellation-node-operator/internal/cloud/azure/client/nodeimage_test.go
+++ b/operators/constellation-node-operator/internal/cloud/azure/client/nodeimage_test.go
@ -313,8 +313,6 @@ func TestDeleteNode(t *testing.T) {
 	}
 }

-// TODO: test capacityPollingHandler
-
 func TestCapacityPollingHandler(t *testing.T) {
 	assert := assert.New(t)
 	wantCapacity := int64(1)