prepare v2.2.2 release and update release.md

Signed-off-by: Fabian Kammel <fk@edgeless.systems>

.github/docs/release.md

@@ -52,15 +52,39 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
        2. Create a new block for unreleased changes
     5. Update project version in [CMakeLists.txt](/CMakeLists.txt) to `1.3.0` (without v).
     6. Update the `version` key in [constellation-services/Chart.yaml](/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml). Also update the `version` key for all subcharts, e.g. [Chart.yaml](/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/Chart.yaml). Lastly, update the `dependencies.*.version` key for all dependencies in the main chart [constellation-services/Chart.yaml](/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml).
-    7. When the microservice builds are finished update versions in [versions.go](../../internal/versions/versions.go#L33-L39) to `v1.3.0`, **add the container hashes** and **push your changes**.
-    8. Create a [production coreOS image](/.github/workflows/build-coreos.yml)
+    7. Update [default image versions in enterprise config](/internal/config/images_enterprise.go)
+    8. Increase version number of QEMU image `ConstellationQEMUImageURL` in [versions.go](../../internal/versions/versions.go#L64)
+    9. When the microservice builds are finished update versions in [versions.go](../../internal/versions/versions.go#L33-L39) to `v1.3.0`, **add the container hashes** and **push your changes**.
+
+        ```sh
+        # crane: https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md
+        crane digest ghcr.io/edgelesssys/constellation/node-operator-catalog:v$ver
+        crane digest ghcr.io/edgelesssys/constellation/join-service:v$ver
+        crane digest ghcr.io/edgelesssys/constellation/access-manager:v$ver
+        crane digest ghcr.io/edgelesssys/constellation/kmsserver:v$ver
+        crane digest ghcr.io/edgelesssys/constellation/verification-service:v$ver
+        ```
+
+    10. Create a [production coreOS image](/.github/workflows/build-coreos.yml)
 
         ```sh
         gh workflow run build-os-image.yml --ref release/v$minor -F debug=false -F imageVersion=v$ver
         ```
 
-    9. Update [default images in config](/internal/config/images_enterprise.go)
-    10. Run manual E2E tests using [Linux](/.github/workflows/e2e-test-manual.yml) and [macOS](/.github/workflows/e2e-test-manual-macos.yml) to confirm functionality and stability.
+        * Once the pipeline has finished, download the artifact `image-qemu`.
+        * Unzip the downloaded artifact, rename it to `constellation.raw`.
+        * Go to the [S3 bucket for QEMU images](https://s3.console.aws.amazon.com/s3/buckets/cdn-constellation-backend?region=eu-central-1&prefix=constellation/images/mini-constellation/&showversions=false)
+        * Create a new folder for the given version, and upload `constellation.raw` into it.
+
+        Then update the QEMU measurements in [measurements.go](../../internal/config/measurements.go#L55-L57) with the values from "Calculate PCRs (qemu) summary" from the same pipeline. Note that some formatting is necessary:
+
+        ```python
+        s="1be79839dd353741b14f3d8cef4e361e4b17e6033a44919bf0ee4dbb03ea98dd"
+        for i in range(0, 64, 2): print(f"0x{s[i:i+2]}, ", end='')
+        # 0x1b, 0xe7, 0x98, 0x39, 0xdd, 0x35, 0x37, 0x41, 0xb1, 0x4f, ...
+        ```
+
+    11. Run manual E2E tests using [Linux](/.github/workflows/e2e-test-manual.yml) and [macOS](/.github/workflows/e2e-test-manual-macos.yml) to confirm functionality and stability.
 
         ```sh
         gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F test="sonobuoy full" -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
@@ -69,14 +93,14 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
         gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F test="sonobuoy full" -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
         ```
 
-    11. [Generate measurements](/.github/workflows/generate-measurements.yml) for the images on each CSP.
+    12. [Generate measurements](/.github/workflows/generate-measurements.yml) for the images on each CSP.
 
         ```sh
            gh workflow run generate-measurements.yml --ref release/v$minor -F cloudProvider=azure -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
            gh workflow run generate-measurements.yml --ref release/v$minor -F cloudProvider=gcp -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
         ```
 
-    12. Create a new tag on this release branch
+    13. Create a new tag on this release branch
 
         ```sh
         git tag v$ver
@@ -90,7 +114,22 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
         ```
 
         * The previous step will create a draft release. Check build output for link to draft release. Review & approve.
-5. Follow [export flow (INTERNAL)](https://github.com/edgelesssys/wiki/blob/master/documentation/constellation/customer-onboarding.md#manual-export-and-import) to make image available in S3 for trusted launch users.
+5. Export, download and make image available in S3 for trusted launch users. To achieve this:
+
+    ```sh
+    TARGET_DISK=export-${ver}
+    az disk create -g constellation-images -l westus -n ${TARGET_DISK} --hyper-v-generation V2 --os-type Linux --sku standard_lrs --security-type TrustedLaunch --gallery-image-reference /subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/${ver}
+    ```
+
+    * Find the created resource in Azure
+    * Go to `Settings` -> `Export` and `Generate URLs`
+    * Download both the disk image (first link) and VM state (second link)
+    * Rename disk (`abcd`) to `constellation.img`.
+    * Rename state (UUID) to `constellation.vmgs`.
+    * Go to [AWS S3 bucket for trusted launch](https://s3.console.aws.amazon.com/s3/buckets/cdn-constellation-backend?prefix=constellation/images/azure/trusted-launch/&region=eu-central-1), create a new folder with the given version number.
+    * Upload both image and state into the newly created folder.
+    * Delete the disk in Azure!
+
 6. To bring updated version numbers and other changes (if any) to main, create a new branch `feat/release` from `release/v1.3`, rebase it onto main, and create a PR to main
 7. Milestones management
    1. Create a new milestone for the next release
@@ -107,3 +146,5 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
     git tag v$nextMinorVer-pre
     git push origin main v$nextMinorVer-pre
     ```
+
+9. Test Constellation mini up

CHANGELOG.md

@@ -34,7 +34,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Security
 
-## [2.2.1] - 2022-11-14
+## [2.2.2] - 2022-11-16
+
+Contains no changes compared to v2.2.1.
+
+v2.2.2 was released, to fix a release process error encountered in v2.2.1. This lead to a broken QEMU-based Constellation deployment.
+
+## [2.2.1] - 2022-11-16
 
 ### Changed
 

CMakeLists.txt

@@ -1,5 +1,5 @@
 cmake_minimum_required(VERSION 3.11)
-project(constellation LANGUAGES C VERSION 2.2.1)
+project(constellation LANGUAGES C VERSION 2.2.2)
 set(CLI_BUILD_TAGS "" CACHE STRING "Tags passed to go build of Constellation CLI.")
 
 enable_testing()

cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml

@@ -2,35 +2,35 @@ apiVersion: v2
 name: constellation-services
 description: A chart to deploy all microservices that are part of a valid constellation cluster
 type: application
-version: 2.2.1
+version: 2.2.2
 
 dependencies:
   - name: kms
-    version: 2.2.1
+    version: 2.2.2
     tags:
       - Azure
       - GCP
       - AWS
       - QEMU
   - name: join-service
-    version: 2.2.1
+    version: 2.2.2
     tags:
       - Azure
       - GCP
       - AWS
       - QEMU
   - name: ccm
-    version: 2.2.1
+    version: 2.2.2
     tags:
       - Azure
       - GCP
       - AWS
   - name: cnm
-    version: 2.2.1
+    version: 2.2.2
     tags:
       - Azure
   - name: autoscaler
-    version: 2.2.1
+    version: 2.2.2
     tags:
       - Azure
       - GCP

cli/internal/helm/charts/edgeless/constellation-services/charts/autoscaler/Chart.yaml

@@ -2,4 +2,4 @@ apiVersion: v2
 name: autoscaler
 description: A Helm chart to deploy the cluster autoscaler.
 type: application
-version: 2.2.1
+version: 2.2.2

cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/Chart.yaml

@@ -2,4 +2,4 @@ apiVersion: v2
 name: ccm
 description: A Helm chart to deploy the cloud controller manager.
 type: application
-version: 2.2.1
+version: 2.2.2

cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/Chart.yaml

@@ -2,4 +2,4 @@ apiVersion: v2
 name: cnm
 description: A chart to deploy cloud node manager for constellation
 type: application
-version: 2.2.1
+version: 2.2.2

cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/Chart.yaml

@@ -2,4 +2,4 @@ apiVersion: v2
 name: join-service
 description: A chart to deploy the Constellation join-service
 type: application
-version: 2.2.1
+version: 2.2.2

cli/internal/helm/charts/edgeless/constellation-services/charts/kms/Chart.yaml

@@ -2,4 +2,4 @@ apiVersion: v2
 name: kms
 description: A Helm chart to deploy the Constellation Key Management Service
 type: application
-version: 2.2.1
+version: 2.2.2

internal/config/images_enterprise.go

@@ -9,6 +9,6 @@ SPDX-License-Identifier: AGPL-3.0-only
 package config
 
 const (
-	DefaultImageAzure = "/communityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/2.2.1"
-	DefaultImageGCP   = "projects/constellation-images/global/images/constellation-v2-2-1"
+	DefaultImageAzure = "/communityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/2.2.2"
+	DefaultImageGCP   = "projects/constellation-images/global/images/constellation-v2-2-2"
 )

internal/versions/versions.go

@@ -46,13 +46,13 @@ const (
 	// These images are built in a way that they support all versions currently listed in VersionConfigs.
 	KonnectivityAgentImage  = "us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.33@sha256:48f2a4ec3e10553a81b8dd1c6fa5fe4bcc9617f78e71c1ca89c6921335e2d7da" // renovate:container
 	KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.33@sha256:2c111f004bec24888d8cfa2a812a38fb8341350abac67dcd0ac64e709dfe389c"             // renovate:container
-	JoinImage               = "ghcr.io/edgelesssys/constellation/join-service:v2.2.1@sha256:52def1e33af92a29084a246d182c5e35cb455bcc2fbfeb0f9c586682dd18a6ce"              // renovate:container
-	AccessManagerImage      = "ghcr.io/edgelesssys/constellation/access-manager:v2.2.1@sha256:5d48b825e5ee265231ae327e3d1445918bfa7fd5c24df9d346d76de2b7522d29"            // renovate:container
-	KmsImage                = "ghcr.io/edgelesssys/constellation/kmsserver:v2.2.1@sha256:719be67709a2ac1fcacc6fd3456dea85aeff8e529cd6f0099bf52428bc57f791"                 // renovate:container
-	VerificationImage       = "ghcr.io/edgelesssys/constellation/verification-service:v2.2.1@sha256:f13159dbe6acc4991c863e312136c563851ec9669238b6c51e4891b89bbb7897"      // renovate:container
+	JoinImage               = "ghcr.io/edgelesssys/constellation/join-service:v2.2.2@sha256:81d4bfd0356e4048f2a4c905b56e9d879d0d572c0257581a15deb9ded154181f"              // renovate:container
+	AccessManagerImage      = "ghcr.io/edgelesssys/constellation/access-manager:v2.2.2@sha256:b65f82aa34e4b5b4fbf92df671206ee2362be76e0016a968a72ac84eaade1855"            // renovate:container
+	KmsImage                = "ghcr.io/edgelesssys/constellation/kmsserver:v2.2.2@sha256:9829b503ffe28457f77200e6f0fb9e7e163c0dec775175883fb9cfa9a12eb714"                 // renovate:container
+	VerificationImage       = "ghcr.io/edgelesssys/constellation/verification-service:v2.2.2@sha256:7f5c18320693c4f3faa3d2a6f4a26dbae346bcf50c45d791aad8f59c83bc9942"      // renovate:container
 	// Check for new versions at https://github.com/GoogleCloudPlatform/guest-agent/releases and update in /.github/workflows/build-gcp-guest-agent.yml.
 	GcpGuestImage            = "ghcr.io/edgelesssys/gcp-guest-agent:20220927.00@sha256:3dea1ae3f162d2353e6584b325f0e325a39cda5f380f41e5a0ee43c6641d3905"                // renovate:container
-	NodeOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-operator-catalog:v2.2.1@sha256:ce65d00b9cd775dfc23566c5de8a8433c153f104ef217bb6528ddfc1a764757f" // renovate:container
+	NodeOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-operator-catalog:v2.2.2@sha256:58bbb95cb59c39e8cb01fd32fa1d5a58f5841891af6d47ba2d6f5fd6e43cea9c" // renovate:container
 	// TODO: switch node maintenance operator catalog back to upstream quay.io/medik8s/node-maintenance-operator-catalog
 	// once https://github.com/medik8s/node-maintenance-operator/issues/49 is resolved.
 	NodeMaintenanceOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-maintenance-operator-catalog:v0.13.1-alpha1@sha256:d382c3aaf9bc470cde6f6c05c2c6ff5c9dcfd90540d5b11f9cf69c4e1dd1ca9d" // renovate:container
@@ -61,7 +61,7 @@ const (
 	LibvirtImage      = "ghcr.io/edgelesssys/constellation/libvirt:v2.2.0@sha256:81ddc30cd679a95379e94e2f154861d9112bcabfffa96330c09a4917693f7cce"           // renovate:container
 
 	// ConstellationQEMUImageURL is the artifact URL for QEMU qcow2 images.
-	ConstellationQEMUImageURL = "https://cdn.confidential.cloud/constellation/images/mini-constellation/v2.2.1/constellation.raw"
+	ConstellationQEMUImageURL = "https://cdn.confidential.cloud/constellation/images/mini-constellation/v2.2.2/constellation.raw"
 
 	// currently supported versions.
 	//nolint:revive