Commit Graph

1118 Commits

Author SHA1 Message Date
Malte Poll
b86faadfcc tidy: document MODULE.bazel.lock maintencance 2024-05-23 09:48:04 +02:00
Daniel Weiße
d0bab9eb08
ci: ignore missing files when creating archive (#3118)
* Reduce output noise from using 7zip
* Ignore non existent files when creating archive

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-05-23 09:24:15 +02:00
renovate[bot]
36a827056f
deps: update softprops/action-gh-release action to v2 (#3103)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-05-15 10:54:37 +02:00
renovate[bot]
af64f99bfe
deps: update google-github-actions/auth action to v2.1.3 (#3094)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-05-15 09:28:58 +02:00
renovate[bot]
ed54277f78
deps: update actions/download-artifact action to v4 (#3096)
* deps: update actions/download-artifact action to v4

* Update slsa generator action to v2

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2024-05-15 09:26:10 +02:00
renovate[bot]
73d86c25df
deps: update azure/login action to v2 (#3097)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-05-15 09:05:50 +02:00
renovate[bot]
d5d5ea857d
deps: update github/codeql-action action to v3 (#3099)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-05-15 09:05:38 +02:00
renovate[bot]
62baa9bed2
deps: update cachix/install-nix-action action to v26 (#3098)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-05-15 08:59:07 +02:00
renovate[bot]
c866e3d670
deps: update actions/checkout action to v4 (#3095)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-05-15 08:58:56 +02:00
Markus Rudy
8e3cf5a270
s3proxy: commit image version on release, too (#3093) 2024-05-14 15:45:06 +02:00
Malte Poll
93fcb51e67 ci: explicitly set bazel test timeout to four hours for e2e tests
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2024-05-14 13:34:50 +02:00
Markus Rudy
43e6b85026
ci: only assign reviewer to bot PRs (#3091) 2024-05-14 10:02:00 +02:00
renovate[bot]
d76c9ac82d
deps: update GitHub action dependencies (#3086)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-05-13 10:42:07 +02:00
Malte Poll
03475b60b3
ci: disable BuildBuddy (#3077) 2024-05-10 11:14:45 +02:00
Markus Rudy
174c3ab48a
terraform: add missing policies for AWS ALB (#3063)
* terraform: add missing policies for AWS ALB
2024-05-10 08:51:32 +02:00
Malte Poll
1c0c7d6227
ci: disable e2e-attestationconfigapi on PRs (#2937)
This workflow touches shared state by deleting all objects of a bucket and then
uploading a signed blob of data to that S3 bucket under a fixed name.
It also does so multiple times in a row, while invalidating the cloudfront
cache and checking if the uploaded object exists.
All runs of this workflow share the same bucket.
Since this pipeline runs on any modification of go.mod, it is very prone
to race condition between PRs (or PRs and main).
2024-05-08 14:59:03 +02:00
renovate[bot]
adf03ad76c
deps: update GitHub action dependencies (#3070)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-05-08 14:33:35 +02:00
Daniel Weiße
86c45d1d5f
deps: update to Go 1.22.3 (#3069)
* Update renovate syntax
* Update to Go 1.22.3

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-05-08 11:34:31 +02:00
Daniel Weiße
a15cf54477
ci: use 7zip for creating archives (#3068)
* Use 7zip for creating and processing encrypted archives
* Switch to .7z file extension
* Fix shell check issues
* Fix tfstate update logic

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-05-08 10:34:10 +02:00
Daniel Weiße
edc0c7068e
ci: fix delete artifact conditional (#3067)
* Fix state exists check
* Dont fail if folder to remove does not exist

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-05-07 08:48:38 +02:00
Thomas Tendyck
012937740f
Update action.yml 2024-05-07 01:52:35 +02:00
miampf
bd26cb592d
ci: correctly clean up failed windows e2e tests (#3059) 2024-05-03 10:54:08 +00:00
Daniel Weiße
f6999084c9
terraform: set empty default value for additional_tags (#3052)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-05-03 10:27:46 +02:00
Daniel Weiße
35bd805bec
ci: enable gcp-sev-snp for daily tests (#3058)
* Run gcp-sev-snp debug e2e test in daily
* Fix verify e2e test not creating json file for gcp-sev-snp

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-05-03 08:18:21 +02:00
Daniel Weiße
259e85d9c1
ci: reduce noise from warnings (#3055)
* Fix whitespace errors
* Remove usage of external action to URI encode component
* Upgrade Azure login action to v2.1
* Remove GitHub actions warning when running e2e test with NOP payload
* Only try to upload updated tf state if it exists
* Upgrade out of date aws credential actions

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-05-03 08:17:40 +02:00
miampf
0c0d87aa4c
ci: Delete e2e terraform state (#2874) 2024-04-26 10:06:01 +00:00
Daniel Weiße
680d3318af
ci: ensure --tags flag is only set if the CLI supports it (#3044)
* Use github.run_id to correctly tag resources with the run id
* Ensure `--tags` flag is only set if CLI supports it

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-04-26 09:34:21 +02:00
miampf
3f7a4e4313
ci: tag resources created by e2e tests with the run name (#3035) 2024-04-25 12:02:23 +00:00
Daniel Weiße
056f991f58
ci: add missing permission for e2e-windows test in weekly run (#3037)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-04-22 15:21:56 +02:00
Markus Rudy
9b52ec403b
deps: auto-assign reviewer for deps PRs (#3032)
* deps: auto-assign reviewer for deps PRs

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2024-04-17 20:38:32 +02:00
Moritz Sanft
35e19a45bb
ci: disable SEV-SNP tests that need stable images (#3031) 2024-04-17 09:12:52 +02:00
Moritz Sanft
913b09aeb8
Support SEV-SNP on GCP (#3011)
* terraform: enable creation of SEV-SNP VMs on GCP

* variant: add SEV-SNP attestation variant

* config: add SEV-SNP config options for GCP

* measurements: add GCP SEV-SNP measurements

* gcp: separate package for SEV-ES

* attestation: add GCP SEV-SNP attestation logic

* gcp: factor out common logic

* choose: add GCP SEV-SNP

* cli: add TF variable passthrough for GCP SEV-SNP variables

* cli: support GCP SEV-SNP for `constellation verify`

* Adjust usage of GCP SEV-SNP throughout codebase

* ci: add GCP SEV-SNP

* terraform-provider: support GCP SEV-SNP

* docs: add GCP SEV-SNP reference

* linter fixes

* gcp: only run test with TPM simulator

* gcp: remove nonsense test

* Update cli/internal/cmd/verify.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update docs/docs/overview/clouds.md

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* linter fixes

* terraform_provider: correctly pass down CC technology

* config: mark attestationconfigapi as unimplemented

* gcp: fix comments and typos

* snp: use nonce and PK hash in SNP report

* snp: ensure we never use ARK supplied by Issuer (#3025)

* Make sure SNP ARK is always loaded from config, or fetched from AMD KDS
* GCP: Set validator `reportData` correctly

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* attestationconfigapi: add GCP to uploading

* snp: use correct cert

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: enable fetching of attestation config values for GCP SEV-SNP

* linter fixes

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2024-04-16 18:13:47 +02:00
davidweisse
e89d8e4d72
ci: add error handling to e2e windows liveness probe (#3018)
* workflows: add error handling to e2e windows liveness probe

* update retry condition in last iteration

* Update liveness probe to check for correct number of nodes

* ci: fix Windows e2e test not pushing required container images (#3021)

* More output when waiting for nodes to get ready
* Create unique resource group name for Windows e2e test
* Push container images on windows CLI build to fix e2e test

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Fix resource group naming

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2024-04-11 11:27:12 +02:00
Daniel Weiße
6e31223ff9
ci: suppress license check on windows e2e (#3020)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-04-10 10:51:09 +02:00
Daniel Weiße
cddbba1898
ci: bump fromVersion for e2e tests to v2.16.2 (#3016)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-04-08 11:13:44 +02:00
Daniel Weiße
a2737e8f61
ci: bump slsa-verifier to v2.5.1 (#3015)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-04-05 21:00:33 +02:00
Daniel Weiße
408eb31422
ci: fix slsa generator action by updating to new version (#3014)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-04-05 14:29:52 +02:00
Malte Poll
2a226fd8e9
deps: update Go toolchain to 1.22.2 (#3010)
* deps: update Go toolchain to 1.22.2
* deps: update vulnerable dependencies (govulncheck)
2024-04-05 12:14:48 +02:00
miampf
febe8f0801
ci: add a delete artifact action (#2999) 2024-03-25 13:36:09 +00:00
Thomas Tendyck
b97f2b905a
ci: fix unwanted license checks for some e2e test configs (#3001)
* ci: fix unwanted license checks for some e2e test configs

* fixup! ci: fix unwanted
2024-03-22 20:45:45 +01:00
Daniel Weiße
0da6f0d014
ci: fix pvc clean-up on non deletable namespaces (#2994)
* Only delete namespace if its deletable
  * For "default" namespace, delete all resources in that namespace
  * For "kube-system" namespace, delete all PVCs in that namespace
* Don't abort terminate action if PVC deletion fails

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-03-19 14:53:58 +01:00
Markus Rudy
1a10cf645d
ci: query identity directly instead of searching in list (#2985)
* ci: add debug information when UAMI is missing

* ci: query identity directly instead of searching in list
2024-03-18 08:40:15 +01:00
Markus Rudy
85b44f7f57
ci: make waiting for nodes more robust (#2981)
* ci: make waiting for nodes more robust

After initializing the cluster, a lot of things happen in parallel and
are potentially getting in each others' way: nodes are joining,
daemonsets are proliferating, the network is being set up. During this
period, it's not unusual that the Kubernetes API server is unavailable
for a short time, e.g. due to etcd loosing quorum or load balancing
changes.

This period of instability has the potential to affect all kubectl
commands negatively, leading to problems especially for tests, where
command failures often lead to test failures. On the other hand, we'd
expect everything to be quite stable after the initial dust settles.

Therefore, this commit changes how we wait after initializing a cluster.
Until we have a reasonable expectation of readiness, we ignore command
failures and wait for things to stabilize. The cluster is considered
stable once all configured nodes and all API servers report ready.
2024-03-13 09:42:18 +01:00
Malte Poll
5e241bcb45 deps: update Go to v1.22.1 2024-03-06 14:50:01 +01:00
Daniel Weiße
d5b3d4fd6f
ci: use collision resistant name for Terraform e2e test (#2967)
* Use collision resistant name for Terraform e2e test
* Remove test suffix from Terraform provider examples

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-03-04 13:48:30 +01:00
Malte Poll
c513c3f40c ci: v2.16 post-release cleanup 2024-02-29 18:36:07 +01:00
Malte Poll
93eb8f0694
release: use cosign sign-blob in non-interative mode (#2953) 2024-02-29 09:40:13 +01:00
Malte Poll
0b6eeb3747
ci: match version of actions/download-artifact for slsa provenance (#2957) 2024-02-29 09:39:41 +01:00
Daniel Weiße
80518379c4
ci: fix artifact naming problems in e2e test (#2948)
* Fix potentially artifact naming in weekly tests
* Use e2e prefix for artifact naming in e2e-benchmark

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-02-27 08:59:22 +01:00
renovate[bot]
62acec17f6
deps: update Constellation containers (#2921)
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
2024-02-22 14:04:42 +01:00