* add Metricbeat deployment to debugd
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* set metricbeat debugd image version
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix k8s deployment
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use 2 separate deployments
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* only deploy via k8s in non-debug-images
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing tilde
* remove k8s metrics
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* unify flag
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add cloud metadata processor to filebeat
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* ci: fix debugd logcollection (#2355)
* add missing keyvault access role
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bump logstash image version
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bump filebeat / metricbeat image version
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* log used image version
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use debugging image versions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* increase wait timeout for image upload
* add cloud metadata processor to filebeat
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix template locations in container
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix image version typo
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add filebeat / metricbeat users
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove user additions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update workflow step name
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* only mount config files
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* document potential rc
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix IAM permissions in workflow
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix AWS permissions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing workflow input
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* rename action
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* pin image versions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove unnecessary workflow inputs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add refStream input
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove inputs.yml dep
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* increase system metric period
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix linkchecker
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
This keeps the report in focus for PRs with longer discussion and
repeated pushes.
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* malicious node join test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add e2e build tag
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add namespaces to job apply
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix image and workflow
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix linter checks
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* build instructions in Dockerfile
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* only print important flags
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use `malicious-join` namespace
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* build with bazel
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* order imports
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* test cases
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* various fixes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing quotes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix typo
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Update e2e/malicious-join/malicious-join.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* Update e2e/malicious-join/malicious-join.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* use switch case
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update image version
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix linter checks
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* wip
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* various fixes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update buildfiles
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use workdir
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix linter
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add required permissions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove permissions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove packages: write permission at step
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* login to registry
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix typo
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix log
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* source base lib
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix sourcing order
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* export after definition
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix script header
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* dont exit after -e flag has been set
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Previously the timeout was not set in the client's constructor, thus the
zero value was used. The client did not wait for invalidation.
To prevent this in the future a warning is logged if wait is disabled.
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
Previous output of findvers.sh would be [""] in case no version were
found, now the output is []. Also, GitHub cannot handle empty arrays
in the matrix field, so we add an if and check if the array is empty.
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* refactor `debugd` file structure
* create `hack`-tool to deploy logcollection to non-debug clusters
* integrate changes into CI
* update fields
* update workflow input names
* use `working-directory`
* add opensearch creds to upgrade workflow
* make template func generic
* make templating func generic
* linebreaks
* remove magic defaults
* move `os.Exit` to main package
* make logging index configurable
* make templating generic
* remove excess brace
* update fields
* copy fields
* fix flag name
* fix linter warnings
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* remove unused workflow inputs
* remove makefiles
* fix command
* bazel: fix output paths of container
This fixes the output paths of builds within the container by mounting
directories to paths that exist on the host. We also explicitly set the
output path in a .bazelrc to the user specific path. The rc file is
mounted into the container and overrides the host rc.
Also adding automatic stop in case start is called and a containers
is already running.
Sym links like bazel-out and paths bazel outputs should generally work
with this change.
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* tabs -> spaces
---------
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
The TCP versions are extracted from the MAA token, that itself is taken
from the verify command output. The configapi is adapted to directly
work on the MAA claims JSON.
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
by setting the Azure SNP enforcement policy to equal in the weekly e2e.
The run should fail when there are unexpected ID Key digests used.
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
The existingConfig field is always set to true during create, as we use
the IAM create step to generate the config in all cases. Accordingly,
secret injection into config isn't needed anymore in create.
This fixes a bug where other parameters like Kubernetes version and
cluster name wouldn't be injected into the config due to existingConfig
being true.
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* add new iam upgrade apply
* remove iam tf plan from upgrade apply check
* add iam migration warning to upgrade apply
* update release process
* document migration
* Apply suggestions from code review
Co-authored-by: Otto Bittner <cobittner@posteo.net>
* add iam upgrade
* remove upgrade dir check in test
* ask only without --yes
* make iam upgrade provider specific
* test without seperate logins
* remove csi and only add conditionally
* Revert "test without seperate logins"
This reverts commit 05a12e59c9.
* fix msising cred
* support iam migration for all csps
* add iam upgrade label
---------
Co-authored-by: Otto Bittner <cobittner@posteo.net>
* add current chart
add current helm chart
* disable service controller for aws ccm
* add new iam roles
* doc AWS internet LB + add to LB test
* pass clusterName to helm for AWS LB
* fix update-aws-lb chart to also include .helmignore
* move chart outside services
* working state
* add subnet tags for AWS subnet discovery
* fix .helmignore load rule with file in subdirectory
* upgrade iam profile
* revert new loader impl since cilium is not correctly loaded
* install chart if not already present during `upgrade apply`
* cleanup PR + fix build + add todos
cleanup PR + add todos
* shared helm pkg for cli install and bootstrapper
* add link to eks docs
* refactor iamMigrationCmd
* delete unused helm.symwallk
* move iammigrate to upgrade pkg
* fixup! delete unused helm.symwallk
* add to upgradecheck
* remove nodeSelector from go code (Otto)
* update iam docs and sort permission + remove duplicate roles
* fix bug in `upgrade check`
* better upgrade check output when svc version upgrade not possible
* pr feedback
* remove force flag in upgrade_test
* use upgrader.GetUpgradeID instead of extra type
* remove todos + fix check
* update doc lb (leo)
* remove bootstrapper helm package
* Update cli/internal/cmd/upgradecheck.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* final nits
* add docs for e2e upgrade test setup
* Apply suggestions from code review
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* Update cli/internal/helm/loader.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* Update cli/internal/cmd/tfmigrationclient.go
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
* fix daniel review
* link to the iam permissions instead of manually updating them (agreed with leo)
* disable iam upgrade in upgrade apply
---------
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Malte Poll
During testing on AWS SNP we can sometimes observe the scaling
take longer than 15 mins due to slow setup times of SNP machines.
Eventually the scaling works as expected.
* Use CLI to fetch measurements in e2e test
* Abort helm service upgrade early if user confirmation is missing
* Add container push to CLI build action
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* wip: add windows e2e test
* wip: register windows e2e tests
* remove registration
* wip: change CLI artifact name
* basic windows test
* checkout repo
* use correct iam create command
* remove trademarked name
* enable debug logs
* add pwsh liveliness check script
* delimiters
* set kubeconfig env var
* test
* use setx to set env var
* set envvar before liveness probe
* explicitly set kubeconfig
* invalidate app client id field for azure and provide info
* remove TestNewWithDefaultOptions case
* fix test
* remove appClientID field
* remove client secret + rename err
* remove from docs
* otto feedback
* update docs
* delete env test in cfg since no envs set anymore
* Update dev-docs/workflows/github-actions.md
Co-authored-by: Otto Bittner <cobittner@posteo.net>
* WARNING to stderr
* fix check
---------
Co-authored-by: Otto Bittner <cobittner@posteo.net>
* variant: move into internal/attestation
* attesation: move aws attesation into subfolder nitrotpm
* config: add aws-sev-snp variant
* cli: add tf option to enable AWS SNP
For now the implementations in aws/nitrotpm and aws/snp
are identical. They both contain the aws/nitrotpm impl.
A separate commit will add the actual attestation logic.
* sign version with release key and remove version from fetcher interface
* extend azure-reporter GH action to upload updated version values to the Attestation API
Runners sometimes fail because they run out of disk space.
One reason this happens is a change in the setup-go action@v4:
> The V4 edition of the action offers: Enabled caching by default
To combat this, we now disable the cache if it was not enabled explicitly before.
Additionally, we remove setup-go where it is no longer needed.
* The check would previously fail if e.g. `apply` did not upgrade the
image, but a new image was specified in the config. This could
happen if the specified image was too new, but a valid Kuberentes
upgrade was specified.
* ci: fix variable expansion in e2e-upgrade call
* e2e: do not verify measurement signature
* bazel-deps-mirror: upgrade command
This command can be used to upgrade a dependency.
Users are supposed to replace any upstream URLs and run the upgrade command.
It replaces the expected hash and uploads the new dep to the mirror.
This workflow is used to run e2e tests in
preparation to a release.
It is triggered by the successful completion of
the release workflow.
Also trigger e2e-mini through the release
workflow completion.
This makes restarting the tests easier if
they fail during release preparation.
Co-authored-by: stdoutput <moritz.sanft@outlook.de>
bazel-deps-mirror is an internal tools used to upload external dependencies
that are referenced in the Bazel WORKSPACE to the Edgeless Systems' mirror.
It also normalizes deps rules.
* hack: add tool to mirror Bazel dependencies
* hack: bazel-deps-mirror tests
* bazel: add deps mirror commands
* ci: upload Bazel dependencies on renovate PRs
* update go mod
* run deps_mirror_upload
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
The test is implemented as a go test.
It can be executed as a bazel target.
The general workflow is to setup a cluster,
point the test to the workspace in which to
find the kubeconfig and the constellation config
and specify a target image, k8s and
service version. The test will succeed
if it detects all target versions in the cluster
within the configured timeout.
The CI automates the above steps.
A separate workflow is introduced as there
are multiple input fields to the test.
Adding all of these to the manual e2e test
seemed confusing.
Co-authored-by: Fabian Kammel <fk@edgeless.systems>
* bazel: add configuration for remote caching
* ci: enable bazel remote caching for building binaries
* ci: use bazel directly when building go binaries
* ci: enable cache for most build steps
* dev-docs: document remote caching
* upload cli version list
* fix flag
* name
* allow cli kind for listing
* [remove] update vapi cli
* allow cli kind
* use latest versionsapi image version
* fix kind parsing
* use workflow calls in on_release action
* [remove] update container tag
* change back to latest tag
* build: correct toolchain order
* build: gazelle-update-repos
* build: use pregenerated proto for dependencies
* update bazeldnf
* deps: tpm simulator
* Update Google trillian module
* cli: add stamping as alternative build info source
* bazel: add go_test wrappers, mark special tests and select testing deps
* deps: add libvirt deps
* deps: go-libvirt patches
* deps: cloudflare circl patches
* bazel: add go_test wrappers, mark special tests and select testing deps
* bazel: keep gazelle overrides
* bazel: cleanup bazelrc
* bazel: switch CMakeLists.txt to use bazel
* bazel: fix injection of version information via stamping
* bazel: commit all build files
* dev-docs: document bazel usage
* deps: upgrade zig-cc for go 1.20
* bazel: update Perl for macOS arm64 & Linux arm64 support
* bazel: use static perl toolchain for OpenSSL
* bazel: use static protobuf (protoc) toolchain
* deps: add git and go to nix deps
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>