Commit Graph

3574 Commits

Author SHA1 Message Date
3u13r
548bb2dfa6
debugd: send requests over lb (#2346) 2023-09-19 16:10:22 +02:00
Moritz Sanft
49c37b3969
mount AWS credentials file into Bazel container (#2341)
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-09-19 16:09:53 +02:00
renovate[bot]
82e561f139
deps: update Terraform google to v4.83.0 (#2344) 2023-09-19 15:17:21 +02:00
Adrian Stobbe
22c2a73ae2
cli: store kubernetes version as strong type in config (#2287)
Co-authored-by: Otto Bittner <cobittner@posteo.net>
Co-authored-by: 3u13r <lc@edgeless.systems>
2023-09-19 13:50:00 +02:00
renovate[bot]
348418a4a1
deps: update Kubernetes versions (#2342)
* deps: update Kubernetes versions

* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2023-09-18 13:17:43 +02:00
Moritz Sanft
0a28cdecb2
ci: add malicious join test (#2304)
* malicious node join test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add e2e build tag

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add namespaces to job apply

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix image and workflow

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linter checks

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* build instructions in Dockerfile

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* only print important flags

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use `malicious-join` namespace

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* build with bazel

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* order imports

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* test cases

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* various fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add missing quotes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix typo

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Update e2e/malicious-join/malicious-join.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update e2e/malicious-join/malicious-join.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* use switch case

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update image version

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linter checks

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* wip

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* various fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update buildfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use workdir

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linter

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add required permissions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove permissions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove packages: write permission at step

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* login to registry

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix typo

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix log

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* source base lib

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix sourcing order

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* export after definition

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix script header

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* dont exit after -e flag has been set

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-09-15 17:21:42 +02:00
katexochen
83cfc86df1 image: update measurements and image version 2023-09-15 08:37:08 +02:00
edgelessci
866861491a
docs: add release v2.11.0 (#2330)
Co-authored-by: 3u13r <3u13r@users.noreply.github.com>
2023-09-14 15:54:27 +02:00
3u13r
0982587a4d
chore: bump version.txt (#2334)
* chore: bump version.txt

* ci: bump upgrade version
2023-09-14 14:42:16 +02:00
3u13r
a03c686066
ci: bump install helm action (#2337) 2023-09-14 14:29:46 +02:00
3u13r
996542a075
ci: install helm when deploying log collection (#2333) 2023-09-14 12:03:13 +02:00
Moritz Sanft
95cf4bdf21
cli: perform upgrades in-place in Terraform workspace (#2317)
* perform upgrades in-place in terraform workspace

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update buildfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add iam upgrade apply test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update buildfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linter

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* make config fetcher stubbable

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* change workspace restoring behaviour

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* allow overwriting existing Terraform files

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* allow overwrites of TF variables

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix iam upgrade apply

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix embed directive

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* make loader test less brittle

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* pass upgrade ID to user

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* naming nit

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use upgradeDir

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-09-14 11:51:20 +02:00
katexochen
9c54ff06e0 image: update measurements and image version 2023-09-14 10:16:45 +02:00
Malte Poll
fbd75106ef
bazel: never run buildifier in remote execution (#2261) 2023-09-12 14:48:06 +02:00
Malte Poll
f399fe148b
api: rename references to moved hack/configapi (#2329)
Fixes 376bc6d39f
2023-09-11 10:57:32 +02:00
3u13r
95c4294921
deps: bump filepath-securejoin (#2328) 2023-09-11 10:27:53 +02:00
Adrian Stobbe
b3bb486e59
node-operator: fix data race in executor (#2326) 2023-09-11 09:26:20 +02:00
Adrian Stobbe
92726dad2a
doc: --skip-flag in the upgrade workflow (#2313)
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-09-09 15:26:18 +02:00
edgelessci
4813296062
image: update measurements and image version (#2320)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-09-09 15:19:24 +02:00
Daniel Weiße
2a1996dbe1
cli: check chart versions against target version in users config before upgrading (#2319)
* Check chart versions against target in users config

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Cleaner cli-config version support checking

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* Return InvalidUpgradeError

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-08 23:09:02 +02:00
Daniel Weiße
5706e69091
Retry helm apply on any error (#2322)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-08 22:54:01 +02:00
Daniel Weiße
2cb0ce0b1b
Add troubleshooting notes for manually managing helm charts (#2327)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-08 22:27:25 +02:00
3u13r
a25c90e9bb
remove deprecated constellation create flags (#2325)
* chore: clean-up TODOs

* cli: make OpenStack error explicit

* cli: remove deprecated flags

* config: require DeployCSIDriver field
2023-09-08 21:15:02 +02:00
Adrian Stobbe
5960025da7
cli: new flag to skip phases of upgrade (#2310)
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-09-08 14:55:07 +02:00
Malte Poll
7376c6a998
ci: remove aspect workflows (#2324) 2023-09-08 14:19:14 +02:00
Daniel Weiße
94a7b9e7b2
cli: save Helm charts to disk before running upgrades (#2305)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-08 12:02:16 +02:00
3u13r
6cb506bca7
deps: bump go version (#2318) 2023-09-08 10:19:07 +02:00
Daniel Weiße
9765003298
cli: print ordered measurements list during constellation verify (#2302)
* Print measurements as ordered list during verify
* Fix missing safety check in AWS attestation validation

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-08 08:08:09 +02:00
Adrian Stobbe
0eb9ca2e18
move csp logic to cloudcmd (#2311) 2023-09-07 12:10:36 +02:00
Daniel Weiße
25ba8ecfed
rfc: Constellation state file (#2281)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-09-07 08:55:46 +02:00
Daniel Weiße
442f904ceb
ci: don't automatically create git tag in release pipeline (#2316)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-07 08:47:01 +02:00
Daniel Weiße
327315d5de
csi: let constructor take care of setting up cryptsetup (#2312)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-06 15:05:59 +02:00
Otto Bittner
d3c940a6a0
ci: use virtee project for sev-snp-measure-go (#2307)
Our port is part of the virtee org. Lets use it to keep it up-to-date.
2023-09-06 14:02:53 +02:00
edgelessci
4b48b5fdef
image: update measurements and image version (#2309)
Co-authored-by: katexochen <katexochen@users.noreply.github.com>
2023-09-06 08:40:59 +02:00
Moritz Sanft
224178b936
use updated url (#2308)
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-09-06 08:23:05 +02:00
Moritz Eckert
c7996481f2
docs: switch to native mermaid support (#2306) 2023-09-05 11:24:20 +02:00
Otto Bittner
6e5ba774d8 cli: disable nosmt via VMM temporarily.
AWS asked us to disable these options temporarily until they resolve
some internal issues that sometimes prevents these instances
from starting.
2023-09-05 08:23:18 +02:00
Otto Bittner
cb934ed087
image: move idle and nosmt to aws-only images (#2297)
We don't want these options on other CSPs. This is temporary until AWS
fixed some background issues.
We need to set the option we want to set differently on each provider
once per provider as we need to keep some of the options we set with
higher priority.
2023-09-04 14:02:10 +02:00
Malte Poll
ecfb6d9b1f
image: update to Linux 6.1.46 (#2268) 2023-09-04 11:41:25 +02:00
Otto Bittner
376bc6d39f api: move hack/configapi into internal/api
The tool has an e2e test and is part of our production pipeline.
2023-09-04 11:20:13 +02:00
Otto Bittner
97dc15b1d1 staticupload: correctly set invalidation timeout
Previously the timeout was not set in the client's constructor, thus the
zero value was used. The client did not wait for invalidation.
To prevent this in the future a warning is logged if wait is disabled.

Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2023-09-04 11:20:13 +02:00
Otto Bittner
fdaa5aab3c api: use new signature type for Azure SNP versions
* Remove signature checks from unittests. Would need to export
signature from client/fetcher (unwanted). Can't figure out a better way.
e2e test completes in ~4sec and runs automatically.
So seems like a acceptable tradeoff.
* list object is now signed, but not verified. If we start to verify the list
we will have to adapt the e2e test to restore the previous list.
Otherwise there could be conflicts between dev and release keys.
2023-09-04 11:20:13 +02:00
Otto Bittner
2b19632e09 api: refine signature types
Wrapping apiObject does not work as intended as the version field
is when fetching objects from the API. Thus we need to insert
the target path of the signature directly.
2023-09-04 11:20:13 +02:00
Otto Bittner
7ffa1344e3 Configapi: pipeline to run e2e test for CLI
Co-authored-by: Paul Meyer <pm@edgeless.systems>
2023-09-04 11:20:13 +02:00
Otto Bittner
d2071e945a hack: make bucket/region configurable
The is useful for testing the configapi cli.
2023-09-04 11:20:13 +02:00
Daniel Weiße
d35822cff8
ci: add hint about cleaning up lingering resources on failure (#2300)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-04 10:09:35 +02:00
Daniel Weiße
311da4c082
cli: correctly trim white spaces for certificates in verify (#2299)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-04 08:30:18 +02:00
renovate[bot]
dd035f2bec
deps: update Constellation containers to v2.11.0-pre.0.20230821060133-60bf770e62bc (#2292)
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
2023-09-01 17:56:36 +02:00
Daniel Weiße
f3218f4197
ci: fix incorrect signing key for sbom signature and wrong public key in release artifacts (#2296)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-01 16:40:09 +02:00
Daniel Weiße
a4d6016ae5
ci: make sure permissions to terminate cluster are always set for e2e upgrade (#2298)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-01 16:15:13 +02:00