* .github: add e2e test to pr checklist
* ci: use sonobuoy quick where possible
* ci: run malicious join test on release
* ci: remove self managed infra test
* ci: remove non-example terraform test from weekly
* ci: run Sonobuoy full on the latest k8s version weekly
* ci: run weekly sonobuoy quick on all k8s versions
* ci: don't run double sonobuoy tests on latest k8s version
* Refactor selfManagedInfra input to clusterCreation in e2e tests
* Run e2e test using terraform provider
* Allow insecure measurement fetching in Terraform provider
* Run Terraform provider test instead of module test in weekly runs
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* terraform: add Azure marketplace variable
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* config: add Azure marketplace variable
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* cli: use Terraform variables from config
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform: pass down marketplace variable
* image: pad Azure images to 1GiB
* terraform: add version attribute to marketplace image
* semver: allow versions to be exported without prefix
* cli: boolean var to use marketplace images
* config: remove dive key
* dev-docs: add instructions on how to use marketplace images
* terraform: fix unit test
* terraform: only fetch image for non-marketplace images
* mpimage: refactor image selection
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] increase minor version for image build
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform: ignore changes to source_image_reference on upgrade
* operator: add support for parsing Azure marketplace images
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* upgrade: fix imagefetcher call
* docs: add info about azure marketplace
* image: ensure more than 1GiB in size
* image: test to pad to 2GiB
* version: change back to v2.14.0-pre
* image: GPT-conformant image size padding
* [remove] increase version
* mpimage: inline prefix func
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* ci: add marketplace image e2e test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] register workflow
* ci: fix workflow name
* ci: only allow azure test
* cli: add marketplace image input to interface
* cli: fix argument passing
* version: roll back to v2.14.0
* ci: add force-flag support
* Update docs/docs/overview/license.md
* Update dev-docs/workflows/marketplace-images.md
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Update CI to use different GCP project for e2e tests
* Update GCP image project service accounts
* Update default GCP bucket name for image builds
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Add missing bazel set-up in windows e2e-failure notify
* Enable bazel caching for e2e-upgrade test
* Remove whitespace
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* mark self-managed infrastructure tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add TODO
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add self-managed infra e2e test
* self-managed terminatio
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix upgrade test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix indentation
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use -r when copying dir
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add terraform variable parsing
* copy constellation conf
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove unnecessary line breaks
* add missing value
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add image fetching for CSP
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix quoting
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing input to internal lb test
* normalize Azure URLs.. Of course
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix expressions
* initsecret to hex
* update hexdump cmd
* add build test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add node / pod cidr outputs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* explicitly delete the state file
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing license header
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* always write all outputs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix list output
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove state-file and admin-conf on destroy
* dont use test payload
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] use self managed infra in manual e2e for testing
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* init: always skip infrastructure phase
* patch maa in workflow
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* default to Constellation-created infra in e2e test
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add Metricbeat deployment to debugd
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* set metricbeat debugd image version
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix k8s deployment
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use 2 separate deployments
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* only deploy via k8s in non-debug-images
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing tilde
* remove k8s metrics
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* unify flag
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add cloud metadata processor to filebeat
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* ci: fix debugd logcollection (#2355)
* add missing keyvault access role
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bump logstash image version
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bump filebeat / metricbeat image version
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* log used image version
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use debugging image versions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* increase wait timeout for image upload
* add cloud metadata processor to filebeat
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix template locations in container
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix image version typo
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add filebeat / metricbeat users
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove user additions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update workflow step name
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* only mount config files
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* document potential rc
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix IAM permissions in workflow
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix AWS permissions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing workflow input
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* rename action
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* pin image versions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove unnecessary workflow inputs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add refStream input
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove inputs.yml dep
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* increase system metric period
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix linkchecker
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* malicious node join test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add e2e build tag
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add namespaces to job apply
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix image and workflow
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix linter checks
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* build instructions in Dockerfile
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* only print important flags
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use `malicious-join` namespace
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* build with bazel
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* order imports
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* test cases
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* various fixes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing quotes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix typo
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Update e2e/malicious-join/malicious-join.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* Update e2e/malicious-join/malicious-join.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* use switch case
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update image version
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix linter checks
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* wip
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* various fixes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use workdir
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix linter
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add required permissions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove permissions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove packages: write permission at step
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* login to registry
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix typo
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix log
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* source base lib
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix sourcing order
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* export after definition
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix script header
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* dont exit after -e flag has been set
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* refactor `debugd` file structure
* create `hack`-tool to deploy logcollection to non-debug clusters
* integrate changes into CI
* update fields
* update workflow input names
* use `working-directory`
* add opensearch creds to upgrade workflow
* make template func generic
* make templating func generic
* linebreaks
* remove magic defaults
* move `os.Exit` to main package
* make logging index configurable
* make templating generic
* remove excess brace
* update fields
* copy fields
* fix flag name
* fix linter warnings
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* remove unused workflow inputs
* remove makefiles
* fix command
* bazel: fix output paths of container
This fixes the output paths of builds within the container by mounting
directories to paths that exist on the host. We also explicitly set the
output path in a .bazelrc to the user specific path. The rc file is
mounted into the container and overrides the host rc.
Also adding automatic stop in case start is called and a containers
is already running.
Sym links like bazel-out and paths bazel outputs should generally work
with this change.
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* tabs -> spaces
---------
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
The TCP versions are extracted from the MAA token, that itself is taken
from the verify command output. The configapi is adapted to directly
work on the MAA claims JSON.
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
by setting the Azure SNP enforcement policy to equal in the weekly e2e.
The run should fail when there are unexpected ID Key digests used.
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
The existingConfig field is always set to true during create, as we use
the IAM create step to generate the config in all cases. Accordingly,
secret injection into config isn't needed anymore in create.
This fixes a bug where other parameters like Kubernetes version and
cluster name wouldn't be injected into the config due to existingConfig
being true.
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* Use CLI to fetch measurements in e2e test
* Abort helm service upgrade early if user confirmation is missing
* Add container push to CLI build action
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* variant: move into internal/attestation
* attesation: move aws attesation into subfolder nitrotpm
* config: add aws-sev-snp variant
* cli: add tf option to enable AWS SNP
For now the implementations in aws/nitrotpm and aws/snp
are identical. They both contain the aws/nitrotpm impl.
A separate commit will add the actual attestation logic.