This workflow touches shared state by deleting all objects of a bucket and then
uploading a signed blob of data to that S3 bucket under a fixed name.
It also does so multiple times in a row, while invalidating the cloudfront
cache and checking if the uploaded object exists.
All runs of this workflow share the same bucket.
Since this pipeline runs on any modification of go.mod, it is very prone
to race condition between PRs (or PRs and main).
* Run gcp-sev-snp debug e2e test in daily
* Fix verify e2e test not creating json file for gcp-sev-snp
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Fix whitespace errors
* Remove usage of external action to URI encode component
* Upgrade Azure login action to v2.1
* Remove GitHub actions warning when running e2e test with NOP payload
* Only try to upload updated tf state if it exists
* Upgrade out of date aws credential actions
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Use github.run_id to correctly tag resources with the run id
* Ensure `--tags` flag is only set if CLI supports it
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* terraform: enable creation of SEV-SNP VMs on GCP
* variant: add SEV-SNP attestation variant
* config: add SEV-SNP config options for GCP
* measurements: add GCP SEV-SNP measurements
* gcp: separate package for SEV-ES
* attestation: add GCP SEV-SNP attestation logic
* gcp: factor out common logic
* choose: add GCP SEV-SNP
* cli: add TF variable passthrough for GCP SEV-SNP variables
* cli: support GCP SEV-SNP for `constellation verify`
* Adjust usage of GCP SEV-SNP throughout codebase
* ci: add GCP SEV-SNP
* terraform-provider: support GCP SEV-SNP
* docs: add GCP SEV-SNP reference
* linter fixes
* gcp: only run test with TPM simulator
* gcp: remove nonsense test
* Update cli/internal/cmd/verify.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* Update docs/docs/overview/clouds.md
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
* linter fixes
* terraform_provider: correctly pass down CC technology
* config: mark attestationconfigapi as unimplemented
* gcp: fix comments and typos
* snp: use nonce and PK hash in SNP report
* snp: ensure we never use ARK supplied by Issuer (#3025)
* Make sure SNP ARK is always loaded from config, or fetched from AMD KDS
* GCP: Set validator `reportData` correctly
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* attestationconfigapi: add GCP to uploading
* snp: use correct cert
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform-provider: enable fetching of attestation config values for GCP SEV-SNP
* linter fixes
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
* workflows: add error handling to e2e windows liveness probe
* update retry condition in last iteration
* Update liveness probe to check for correct number of nodes
* ci: fix Windows e2e test not pushing required container images (#3021)
* More output when waiting for nodes to get ready
* Create unique resource group name for Windows e2e test
* Push container images on windows CLI build to fix e2e test
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Fix resource group naming
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
* Only delete namespace if its deletable
* For "default" namespace, delete all resources in that namespace
* For "kube-system" namespace, delete all PVCs in that namespace
* Don't abort terminate action if PVC deletion fails
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* ci: make waiting for nodes more robust
After initializing the cluster, a lot of things happen in parallel and
are potentially getting in each others' way: nodes are joining,
daemonsets are proliferating, the network is being set up. During this
period, it's not unusual that the Kubernetes API server is unavailable
for a short time, e.g. due to etcd loosing quorum or load balancing
changes.
This period of instability has the potential to affect all kubectl
commands negatively, leading to problems especially for tests, where
command failures often lead to test failures. On the other hand, we'd
expect everything to be quite stable after the initial dust settles.
Therefore, this commit changes how we wait after initializing a cluster.
Until we have a reasonable expectation of readiness, we ignore command
failures and wait for things to stabilize. The cluster is considered
stable once all configured nodes and all API servers report ready.
* Use collision resistant name for Terraform e2e test
* Remove test suffix from Terraform provider examples
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Fix potentially artifact naming in weekly tests
* Use e2e prefix for artifact naming in e2e-benchmark
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Make default instance type configurable for provider sample
* Set TDX instance type when running TDX provider e2e test
* Fix missing attestation variant when setting up stub config in provider e2e test
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
