Commit Graph

537 Commits

Author SHA1 Message Date
Moritz Sanft
35e19a45bb
ci: disable SEV-SNP tests that need stable images (#3031) 2024-04-17 09:12:52 +02:00
Moritz Sanft
913b09aeb8
Support SEV-SNP on GCP (#3011)
* terraform: enable creation of SEV-SNP VMs on GCP

* variant: add SEV-SNP attestation variant

* config: add SEV-SNP config options for GCP

* measurements: add GCP SEV-SNP measurements

* gcp: separate package for SEV-ES

* attestation: add GCP SEV-SNP attestation logic

* gcp: factor out common logic

* choose: add GCP SEV-SNP

* cli: add TF variable passthrough for GCP SEV-SNP variables

* cli: support GCP SEV-SNP for `constellation verify`

* Adjust usage of GCP SEV-SNP throughout codebase

* ci: add GCP SEV-SNP

* terraform-provider: support GCP SEV-SNP

* docs: add GCP SEV-SNP reference

* linter fixes

* gcp: only run test with TPM simulator

* gcp: remove nonsense test

* Update cli/internal/cmd/verify.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update docs/docs/overview/clouds.md

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update terraform-provider-constellation/internal/provider/attestation_data_source_test.go

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* linter fixes

* terraform_provider: correctly pass down CC technology

* config: mark attestationconfigapi as unimplemented

* gcp: fix comments and typos

* snp: use nonce and PK hash in SNP report

* snp: ensure we never use ARK supplied by Issuer (#3025)

* Make sure SNP ARK is always loaded from config, or fetched from AMD KDS
* GCP: Set validator `reportData` correctly

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* attestationconfigapi: add GCP to uploading

* snp: use correct cert

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform-provider: enable fetching of attestation config values for GCP SEV-SNP

* linter fixes

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2024-04-16 18:13:47 +02:00
Malte Poll
2a226fd8e9
deps: update Go toolchain to 1.22.2 (#3010)
* deps: update Go toolchain to 1.22.2
* deps: update vulnerable dependencies (govulncheck)
2024-04-05 12:14:48 +02:00
miampf
febe8f0801
ci: add a delete artifact action (#2999) 2024-03-25 13:36:09 +00:00
Thomas Tendyck
b97f2b905a
ci: fix unwanted license checks for some e2e test configs (#3001)
* ci: fix unwanted license checks for some e2e test configs

* fixup! ci: fix unwanted
2024-03-22 20:45:45 +01:00
Daniel Weiße
0da6f0d014
ci: fix pvc clean-up on non deletable namespaces (#2994)
* Only delete namespace if its deletable
  * For "default" namespace, delete all resources in that namespace
  * For "kube-system" namespace, delete all PVCs in that namespace
* Don't abort terminate action if PVC deletion fails

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-03-19 14:53:58 +01:00
Markus Rudy
1a10cf645d
ci: query identity directly instead of searching in list (#2985)
* ci: add debug information when UAMI is missing

* ci: query identity directly instead of searching in list
2024-03-18 08:40:15 +01:00
Markus Rudy
85b44f7f57
ci: make waiting for nodes more robust (#2981)
* ci: make waiting for nodes more robust

After initializing the cluster, a lot of things happen in parallel and
are potentially getting in each others' way: nodes are joining,
daemonsets are proliferating, the network is being set up. During this
period, it's not unusual that the Kubernetes API server is unavailable
for a short time, e.g. due to etcd loosing quorum or load balancing
changes.

This period of instability has the potential to affect all kubectl
commands negatively, leading to problems especially for tests, where
command failures often lead to test failures. On the other hand, we'd
expect everything to be quite stable after the initial dust settles.

Therefore, this commit changes how we wait after initializing a cluster.
Until we have a reasonable expectation of readiness, we ignore command
failures and wait for things to stabilize. The cluster is considered
stable once all configured nodes and all API servers report ready.
2024-03-13 09:42:18 +01:00
Malte Poll
5e241bcb45 deps: update Go to v1.22.1 2024-03-06 14:50:01 +01:00
Malte Poll
93eb8f0694
release: use cosign sign-blob in non-interative mode (#2953) 2024-02-29 09:40:13 +01:00
Daniel Weiße
80518379c4
ci: fix artifact naming problems in e2e test (#2948)
* Fix potentially artifact naming in weekly tests
* Use e2e prefix for artifact naming in e2e-benchmark

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-02-27 08:59:22 +01:00
renovate[bot]
62acec17f6
deps: update Constellation containers (#2921)
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
2024-02-22 14:04:42 +01:00
Malte Poll
2300a31276 deps: update all 3rdparty github actions 2024-02-21 17:53:53 +01:00
Daniel Weiße
7edd6259d1
ci: fix duplicate benchmark artificat name (#2934)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-02-21 15:34:30 +01:00
Markus Rudy
98a1cfa2ca
ci: fetch latest console logs on aws (#2926) 2024-02-21 13:46:25 +01:00
renovate[bot]
abf6b4924a deps: update Python dependencies 2024-02-21 13:32:15 +01:00
Malte Poll
38ef546362 deps: update Go to 1.22.0 2024-02-20 18:27:16 +01:00
Malte Poll
980b2f0e87 ci: login to OpenStack provider 2024-02-19 18:16:45 +01:00
renovate[bot]
3765cb0762
deps: update actions/upload-artifact and actions/download-artifact action to v4 (#2756)
* deps: update actions/upload-artifact action to v4
* deps: update actions/download-artifacts action to v4

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-02-07 14:50:15 +01:00
Moritz Sanft
dde3430da8
terraform: support AWS marketplace images (#2888)
* terraform: support AWS marketplace images

* terraform-provider: support AWS marketplace images

* docs: add instructions on AWS marketplace images

* ci: adapt marketplace image test for AWS

* Update internal/config/config.go

Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>

* docs: update config

* Update docs/docs/getting-started/marketplaces.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* docs: update license information

* docs: use CSP tabs for marketplace overview

* Update docs/docs/getting-started/marketplaces.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update docs/docs/getting-started/marketplaces.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update docs/docs/getting-started/marketplaces.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

---------

Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2024-02-06 12:13:59 +01:00
Markus Rudy
c020f7ac20
cleanup: various minor debugging improvements (#2889)
* ci: improve constellation_create error message

When we hit a timeout due to nodes not coming up, the actual error
message is hard to make out because it's buried in a group. With the
right formatting, the error message will be highlighted in the UI.

Another improvement is to output the state of nodes, which helps
debugging the cause of nodes not joining or not becoming ready.

* cleanup: use NodeVersionResourceName constant

... instead of literal strings.

* ci: correctly notify on e2e upgrade error

* atls: report cert extension OIDs on mismatch

If the certificate contains an attestation document for SEV-SNP, but the
given validator is for Nitro, verifyEmbeddedReport should not claim that
there is no attestation document, but that there is no _compatible_ one
and what the incompatible ones were.
2024-02-02 16:46:28 +01:00
Moritz Sanft
d5e4435e3d
ci: reduce amount of regular tests (#2885)
* .github: add e2e test to pr checklist

* ci: use sonobuoy quick where possible

* ci: run malicious join test on release

* ci: remove self managed infra test

* ci: remove non-example terraform test from weekly

* ci: run Sonobuoy full on the latest k8s version weekly

* ci: run weekly sonobuoy quick on all k8s versions

* ci: don't run double sonobuoy tests on latest k8s version
2024-02-01 15:05:07 +01:00
Daniel Weiße
befc7cdf63
ci: don't delete local cached providers when uploading Terraform state (#2884)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-02-01 09:54:40 +01:00
Adrian Stobbe
9b547bced0
ci: v2.15 post-release cleanup (#2881)
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2024-01-31 16:45:20 +01:00
miampf
eabcdbe931
ci: Upload e2e terraform state as artifact (#2853) 2024-01-31 15:22:05 +00:00
Adrian Stobbe
d873ddb09d
fix self managed azure tdx (#2878) 2024-01-31 08:18:51 +01:00
Daniel Weiße
40c4109dc2
ci: fix empty run-id in OpenSearch URL (#2876)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-01-30 08:57:27 +01:00
Markus Rudy
f78f5540bc
ci: pin the kube-bench plugin definitions for sonobuoy (#2861) 2024-01-29 14:50:27 +01:00
Daniel Weiße
d372130bfd
ci: safely set attestation variant in OpenSearch URL (#2864)
* Add attestation variant to notify hooks
* Quote all inputs in OpenSearch URL
* Add clusterCreation field to OpenSearch URL
* Omit empty fields in OpenSearch URL

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-01-29 11:52:41 +01:00
Daniel Weiße
d17e7459db Choose TDX supported region for TDX tests
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-01-26 17:06:28 +01:00
Daniel Weiße
65d28f913f Allow starting e2e tests based on attestation variant instead of csp
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-01-26 17:06:28 +01:00
Daniel Weiße
78b9b0fc96
terraform-provider: enable Azure TDX (#2854)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-01-26 15:46:21 +01:00
renovate[bot]
d58d888f54 deps: update dependency Pillow to v10.2.0 [SECURITY] 2024-01-26 15:41:44 +01:00
Moritz Eckert
26f6fd074f
ci: fix e2e_benchmark comparison 2024-01-25 11:12:32 +01:00
Adrian Stobbe
4431ac3233
ci: fix missing quotes in Opensearch link (#2852) 2024-01-24 17:29:19 +01:00
Adrian Stobbe
4db0662b06
ci: remove broken label from OpenSearch query link (#2839) 2024-01-23 08:32:02 +01:00
Malte Poll
66faa5493f deps: Go 1.21.6 2024-01-22 13:11:58 +01:00
Malte Poll
9181705299
ci: use sonobuoy 0.57.1 (#2821) 2024-01-16 13:19:46 +01:00
Markus Rudy
bdca822d8a
ci: remove derpsteb from e2e assignee list (#2816) 2024-01-12 08:09:38 +01:00
Markus Rudy
b267457541
ci: fix OpenSearch link for e2e notifications (#2813)
* ci: fix OpenSearch link for e2e notifications
2024-01-10 09:49:47 +01:00
Markus Rudy
49ecb2415f
ci: remove reference to absent go.mod file (#2811) 2024-01-09 23:07:16 +01:00
Markus Rudy
ef6f63dc48
Fix various small things throughout the codebase (#2800)
* bootstrapper: remove obsolete log statement

* ci: simplify variable usage

Co-authored-by: Daniel Weiße <daniel-weisse@users.noreply.github.com>

* cli: add missing formatting directive

* helm: fix rm invocation

* ci: document reproducible-builds workflow

* constants: use variables for measurement files

* constants: use variables for CDN distribution ID

* ci: make Helm version explicit

* api: prettify versionsapi-list output

* ci: remove obsolete docstring

---------

Co-authored-by: Daniel Weiße <daniel-weisse@users.noreply.github.com>
2024-01-09 19:37:56 +01:00
Moritz Sanft
e691e26bd3
cli: support for GCP marketplace images (#2792)
* cli: support GCP marketplace images

* ci: support GCP marketplace images

* docs: support GCP marketplace images

* bazel: generate

* ci: allow GCP for mpi e2e test

* Update docs/docs/overview/license.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* terraform-provider: allow GCP MPIs

* terraform-provider: fix error message

---------

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2024-01-08 15:51:39 +01:00
Malte Poll
d3b951300d
ci: explicitly build s3proxy container image tag before referencing (#2806)
Otherwise, the file might not exist.
2024-01-08 14:32:08 +01:00
Daniel Weiße
1271e95c0c Fix missing Kubernetes version for Terraform e2e test
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-01-08 13:52:55 +01:00
Markus Rudy
c23aef344d
ci: don't export e2e metrics to OpenSearch (#2794)
* ci: don't export e2e metrics to OpenSearch
* debugd: don't export metrics
2024-01-05 10:15:53 +01:00
renovate[bot]
136a69e7c8
deps: update actions/setup-python action to v5 (#2755)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-01-05 09:29:16 +01:00
Adrian Stobbe
8730e72319
ci: e2e test for Terraform provider examples (#2745) 2024-01-04 10:00:21 +01:00
3u13r
07c884b945
ci: remove artifact encryption for public artifacts (#2776)
* ci: remove artifact encryption for public artifacts

* revert parts of  #2765

* ci: add unused action exception for encrypted artifact download
2023-12-29 11:02:37 +01:00
Daniel Weiße
8c1972c335
ci: fix artifact upload in image build pipeline (#2765)
* Fix parameter expansion when uploading multiple files
* On download, ensure target directory exists
* Rename encryption-secret -> encryptionSecret
* Remove incorrect secret access from e2e test action
* Add missing checkout action to workflows using our download action
* Fix spacing
* Fix upload action uploading whole directory structure instead of target files
* Explicitly give write permissions to Azure disk image, since permissions are no longer dropped on upload

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-12-21 19:28:18 +01:00