diff --git a/.github/docs/release.md b/.github/docs/release.md index 01468e41e..f103ab452 100644 --- a/.github/docs/release.md +++ b/.github/docs/release.md @@ -52,15 +52,39 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers 2. Create a new block for unreleased changes 5. Update project version in [CMakeLists.txt](/CMakeLists.txt) to `1.3.0` (without v). 6. Update the `version` key in [constellation-services/Chart.yaml](/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml). Also update the `version` key for all subcharts, e.g. [Chart.yaml](/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/Chart.yaml). Lastly, update the `dependencies.*.version` key for all dependencies in the main chart [constellation-services/Chart.yaml](/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml). - 7. When the microservice builds are finished update versions in [versions.go](../../internal/versions/versions.go#L33-L39) to `v1.3.0`, **add the container hashes** and **push your changes**. - 8. Create a [production coreOS image](/.github/workflows/build-coreos.yml) + 7. Update [default image versions in enterprise config](/internal/config/images_enterprise.go) + 8. Increase version number of QEMU image `ConstellationQEMUImageURL` in [versions.go](../../internal/versions/versions.go#L64) + 9. When the microservice builds are finished update versions in [versions.go](../../internal/versions/versions.go#L33-L39) to `v1.3.0`, **add the container hashes** and **push your changes**. + + ```sh + # crane: https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md + crane digest ghcr.io/edgelesssys/constellation/node-operator-catalog:v$ver + crane digest ghcr.io/edgelesssys/constellation/join-service:v$ver + crane digest ghcr.io/edgelesssys/constellation/access-manager:v$ver + crane digest ghcr.io/edgelesssys/constellation/kmsserver:v$ver + crane digest ghcr.io/edgelesssys/constellation/verification-service:v$ver + ``` + + 10. Create a [production coreOS image](/.github/workflows/build-coreos.yml) ```sh gh workflow run build-os-image.yml --ref release/v$minor -F debug=false -F imageVersion=v$ver ``` - 9. Update [default images in config](/internal/config/images_enterprise.go) - 10. Run manual E2E tests using [Linux](/.github/workflows/e2e-test-manual.yml) and [macOS](/.github/workflows/e2e-test-manual-macos.yml) to confirm functionality and stability. + * Once the pipeline has finished, download the artifact `image-qemu`. + * Unzip the downloaded artifact, rename it to `constellation.raw`. + * Go to the [S3 bucket for QEMU images](https://s3.console.aws.amazon.com/s3/buckets/cdn-constellation-backend?region=eu-central-1&prefix=constellation/images/mini-constellation/&showversions=false) + * Create a new folder for the given version, and upload `constellation.raw` into it. + + Then update the QEMU measurements in [measurements.go](../../internal/config/measurements.go#L55-L57) with the values from "Calculate PCRs (qemu) summary" from the same pipeline. Note that some formatting is necessary: + + ```python + s="1be79839dd353741b14f3d8cef4e361e4b17e6033a44919bf0ee4dbb03ea98dd" + for i in range(0, 64, 2): print(f"0x{s[i:i+2]}, ", end='') + # 0x1b, 0xe7, 0x98, 0x39, 0xdd, 0x35, 0x37, 0x41, 0xb1, 0x4f, ... + ``` + + 11. Run manual E2E tests using [Linux](/.github/workflows/e2e-test-manual.yml) and [macOS](/.github/workflows/e2e-test-manual-macos.yml) to confirm functionality and stability. ```sh gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F test="sonobuoy full" -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false @@ -69,14 +93,14 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F test="sonobuoy full" -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false ``` - 11. [Generate measurements](/.github/workflows/generate-measurements.yml) for the images on each CSP. + 12. [Generate measurements](/.github/workflows/generate-measurements.yml) for the images on each CSP. ```sh gh workflow run generate-measurements.yml --ref release/v$minor -F cloudProvider=azure -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false gh workflow run generate-measurements.yml --ref release/v$minor -F cloudProvider=gcp -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false ``` - 12. Create a new tag on this release branch + 13. Create a new tag on this release branch ```sh git tag v$ver @@ -90,7 +114,22 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers ``` * The previous step will create a draft release. Check build output for link to draft release. Review & approve. -5. Follow [export flow (INTERNAL)](https://github.com/edgelesssys/wiki/blob/master/documentation/constellation/customer-onboarding.md#manual-export-and-import) to make image available in S3 for trusted launch users. +5. Export, download and make image available in S3 for trusted launch users. To achieve this: + + ```sh + TARGET_DISK=export-${ver} + az disk create -g constellation-images -l westus -n ${TARGET_DISK} --hyper-v-generation V2 --os-type Linux --sku standard_lrs --security-type TrustedLaunch --gallery-image-reference /subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation/versions/${ver} + ``` + + * Find the created resource in Azure + * Go to `Settings` -> `Export` and `Generate URLs` + * Download both the disk image (first link) and VM state (second link) + * Rename disk (`abcd`) to `constellation.img`. + * Rename state (UUID) to `constellation.vmgs`. + * Go to [AWS S3 bucket for trusted launch](https://s3.console.aws.amazon.com/s3/buckets/cdn-constellation-backend?prefix=constellation/images/azure/trusted-launch/®ion=eu-central-1), create a new folder with the given version number. + * Upload both image and state into the newly created folder. + * Delete the disk in Azure! + 6. To bring updated version numbers and other changes (if any) to main, create a new branch `feat/release` from `release/v1.3`, rebase it onto main, and create a PR to main 7. Milestones management 1. Create a new milestone for the next release @@ -107,3 +146,5 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers git tag v$nextMinorVer-pre git push origin main v$nextMinorVer-pre ``` + +9. Test Constellation mini up diff --git a/CHANGELOG.md b/CHANGELOG.md index d7fb503ad..111eaa770 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,7 +34,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Security -## [2.2.1] - 2022-11-14 +## [2.2.2] - 2022-11-16 + +Contains no changes compared to v2.2.1. + +v2.2.2 was released, to fix a release process error encountered in v2.2.1. This lead to a broken QEMU-based Constellation deployment. + +## [2.2.1] - 2022-11-16 ### Changed diff --git a/CMakeLists.txt b/CMakeLists.txt index 0ca48c04b..f109279dd 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,5 +1,5 @@ cmake_minimum_required(VERSION 3.11) -project(constellation LANGUAGES C VERSION 2.2.1) +project(constellation LANGUAGES C VERSION 2.2.2) set(CLI_BUILD_TAGS "" CACHE STRING "Tags passed to go build of Constellation CLI.") enable_testing() diff --git a/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml index 749ddcd3f..824d9e53b 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml @@ -2,35 +2,35 @@ apiVersion: v2 name: constellation-services description: A chart to deploy all microservices that are part of a valid constellation cluster type: application -version: 2.2.1 +version: 2.2.2 dependencies: - name: kms - version: 2.2.1 + version: 2.2.2 tags: - Azure - GCP - AWS - QEMU - name: join-service - version: 2.2.1 + version: 2.2.2 tags: - Azure - GCP - AWS - QEMU - name: ccm - version: 2.2.1 + version: 2.2.2 tags: - Azure - GCP - AWS - name: cnm - version: 2.2.1 + version: 2.2.2 tags: - Azure - name: autoscaler - version: 2.2.1 + version: 2.2.2 tags: - Azure - GCP diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/autoscaler/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/autoscaler/Chart.yaml index 4ac29e9f3..1ffddc4a3 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/autoscaler/Chart.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/autoscaler/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: autoscaler description: A Helm chart to deploy the cluster autoscaler. type: application -version: 2.2.1 +version: 2.2.2 diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/Chart.yaml index a5560c952..1c2ebe5d8 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/Chart.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: ccm description: A Helm chart to deploy the cloud controller manager. type: application -version: 2.2.1 +version: 2.2.2 diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/Chart.yaml index f546742dd..226e5a43b 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/Chart.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: cnm description: A chart to deploy cloud node manager for constellation type: application -version: 2.2.1 +version: 2.2.2 diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/Chart.yaml index 54b733bb1..37afc68a1 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/Chart.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: join-service description: A chart to deploy the Constellation join-service type: application -version: 2.2.1 +version: 2.2.2 diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/Chart.yaml index e5f64e131..4309d1ee7 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/Chart.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: kms description: A Helm chart to deploy the Constellation Key Management Service type: application -version: 2.2.1 +version: 2.2.2 diff --git a/internal/config/images_enterprise.go b/internal/config/images_enterprise.go index 8f85aefec..020b66b1a 100644 --- a/internal/config/images_enterprise.go +++ b/internal/config/images_enterprise.go @@ -9,6 +9,6 @@ SPDX-License-Identifier: AGPL-3.0-only package config const ( - DefaultImageAzure = "/communityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/2.2.1" - DefaultImageGCP = "projects/constellation-images/global/images/constellation-v2-2-1" + DefaultImageAzure = "/communityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/2.2.2" + DefaultImageGCP = "projects/constellation-images/global/images/constellation-v2-2-2" ) diff --git a/internal/versions/versions.go b/internal/versions/versions.go index a6f7a5a82..ecdc0ec5d 100644 --- a/internal/versions/versions.go +++ b/internal/versions/versions.go @@ -46,13 +46,13 @@ const ( // These images are built in a way that they support all versions currently listed in VersionConfigs. KonnectivityAgentImage = "us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.33@sha256:48f2a4ec3e10553a81b8dd1c6fa5fe4bcc9617f78e71c1ca89c6921335e2d7da" // renovate:container KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.33@sha256:2c111f004bec24888d8cfa2a812a38fb8341350abac67dcd0ac64e709dfe389c" // renovate:container - JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v2.2.1@sha256:52def1e33af92a29084a246d182c5e35cb455bcc2fbfeb0f9c586682dd18a6ce" // renovate:container - AccessManagerImage = "ghcr.io/edgelesssys/constellation/access-manager:v2.2.1@sha256:5d48b825e5ee265231ae327e3d1445918bfa7fd5c24df9d346d76de2b7522d29" // renovate:container - KmsImage = "ghcr.io/edgelesssys/constellation/kmsserver:v2.2.1@sha256:719be67709a2ac1fcacc6fd3456dea85aeff8e529cd6f0099bf52428bc57f791" // renovate:container - VerificationImage = "ghcr.io/edgelesssys/constellation/verification-service:v2.2.1@sha256:f13159dbe6acc4991c863e312136c563851ec9669238b6c51e4891b89bbb7897" // renovate:container + JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v2.2.2@sha256:81d4bfd0356e4048f2a4c905b56e9d879d0d572c0257581a15deb9ded154181f" // renovate:container + AccessManagerImage = "ghcr.io/edgelesssys/constellation/access-manager:v2.2.2@sha256:b65f82aa34e4b5b4fbf92df671206ee2362be76e0016a968a72ac84eaade1855" // renovate:container + KmsImage = "ghcr.io/edgelesssys/constellation/kmsserver:v2.2.2@sha256:9829b503ffe28457f77200e6f0fb9e7e163c0dec775175883fb9cfa9a12eb714" // renovate:container + VerificationImage = "ghcr.io/edgelesssys/constellation/verification-service:v2.2.2@sha256:7f5c18320693c4f3faa3d2a6f4a26dbae346bcf50c45d791aad8f59c83bc9942" // renovate:container // Check for new versions at https://github.com/GoogleCloudPlatform/guest-agent/releases and update in /.github/workflows/build-gcp-guest-agent.yml. GcpGuestImage = "ghcr.io/edgelesssys/gcp-guest-agent:20220927.00@sha256:3dea1ae3f162d2353e6584b325f0e325a39cda5f380f41e5a0ee43c6641d3905" // renovate:container - NodeOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-operator-catalog:v2.2.1@sha256:ce65d00b9cd775dfc23566c5de8a8433c153f104ef217bb6528ddfc1a764757f" // renovate:container + NodeOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-operator-catalog:v2.2.2@sha256:58bbb95cb59c39e8cb01fd32fa1d5a58f5841891af6d47ba2d6f5fd6e43cea9c" // renovate:container // TODO: switch node maintenance operator catalog back to upstream quay.io/medik8s/node-maintenance-operator-catalog // once https://github.com/medik8s/node-maintenance-operator/issues/49 is resolved. NodeMaintenanceOperatorCatalogImage = "ghcr.io/edgelesssys/constellation/node-maintenance-operator-catalog:v0.13.1-alpha1@sha256:d382c3aaf9bc470cde6f6c05c2c6ff5c9dcfd90540d5b11f9cf69c4e1dd1ca9d" // renovate:container @@ -61,7 +61,7 @@ const ( LibvirtImage = "ghcr.io/edgelesssys/constellation/libvirt:v2.2.0@sha256:81ddc30cd679a95379e94e2f154861d9112bcabfffa96330c09a4917693f7cce" // renovate:container // ConstellationQEMUImageURL is the artifact URL for QEMU qcow2 images. - ConstellationQEMUImageURL = "https://cdn.confidential.cloud/constellation/images/mini-constellation/v2.2.1/constellation.raw" + ConstellationQEMUImageURL = "https://cdn.confidential.cloud/constellation/images/mini-constellation/v2.2.2/constellation.raw" // currently supported versions. //nolint:revive