* ci: make waiting for nodes more robust
After initializing the cluster, a lot of things happen in parallel and
are potentially getting in each others' way: nodes are joining,
daemonsets are proliferating, the network is being set up. During this
period, it's not unusual that the Kubernetes API server is unavailable
for a short time, e.g. due to etcd loosing quorum or load balancing
changes.
This period of instability has the potential to affect all kubectl
commands negatively, leading to problems especially for tests, where
command failures often lead to test failures. On the other hand, we'd
expect everything to be quite stable after the initial dust settles.
Therefore, this commit changes how we wait after initializing a cluster.
Until we have a reasonable expectation of readiness, we ignore command
failures and wait for things to stabilize. The cluster is considered
stable once all configured nodes and all API servers report ready.
* ci: improve constellation_create error message
When we hit a timeout due to nodes not coming up, the actual error
message is hard to make out because it's buried in a group. With the
right formatting, the error message will be highlighted in the UI.
Another improvement is to output the state of nodes, which helps
debugging the cause of nodes not joining or not becoming ready.
* cleanup: use NodeVersionResourceName constant
... instead of literal strings.
* ci: correctly notify on e2e upgrade error
* atls: report cert extension OIDs on mismatch
If the certificate contains an attestation document for SEV-SNP, but the
given validator is for Nitro, verifyEmbeddedReport should not claim that
there is no attestation document, but that there is no _compatible_ one
and what the incompatible ones were.
* .github: add e2e test to pr checklist
* ci: use sonobuoy quick where possible
* ci: run malicious join test on release
* ci: remove self managed infra test
* ci: remove non-example terraform test from weekly
* ci: run Sonobuoy full on the latest k8s version weekly
* ci: run weekly sonobuoy quick on all k8s versions
* ci: don't run double sonobuoy tests on latest k8s version
* Refactor selfManagedInfra input to clusterCreation in e2e tests
* Run e2e test using terraform provider
* Allow insecure measurement fetching in Terraform provider
* Run Terraform provider test instead of module test in weekly runs
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* terraform: add Azure marketplace variable
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* config: add Azure marketplace variable
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* cli: use Terraform variables from config
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform: pass down marketplace variable
* image: pad Azure images to 1GiB
* terraform: add version attribute to marketplace image
* semver: allow versions to be exported without prefix
* cli: boolean var to use marketplace images
* config: remove dive key
* dev-docs: add instructions on how to use marketplace images
* terraform: fix unit test
* terraform: only fetch image for non-marketplace images
* mpimage: refactor image selection
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] increase minor version for image build
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* terraform: ignore changes to source_image_reference on upgrade
* operator: add support for parsing Azure marketplace images
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* upgrade: fix imagefetcher call
* docs: add info about azure marketplace
* image: ensure more than 1GiB in size
* image: test to pad to 2GiB
* version: change back to v2.14.0-pre
* image: GPT-conformant image size padding
* [remove] increase version
* mpimage: inline prefix func
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* ci: add marketplace image e2e test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] register workflow
* ci: fix workflow name
* ci: only allow azure test
* cli: add marketplace image input to interface
* cli: fix argument passing
* version: roll back to v2.14.0
* ci: add force-flag support
* Update docs/docs/overview/license.md
* Update dev-docs/workflows/marketplace-images.md
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
* Only run verify with JSON output on v2.14 or newer
* Dont upload TCB version for AWS on v2.13
* Remove workaround for CLI not yet support apply to initialize clusters
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Allow creation of Constellation clusters using `apply` command
* Add auto-completion for `--skip-phases` flag
* Deprecate create command
* Replace all doc references to create command with apply
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* Add missing bazel set-up in windows e2e-failure notify
* Enable bazel caching for e2e-upgrade test
* Remove whitespace
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* mark self-managed infrastructure tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add TODO
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add self-managed infra e2e test
* self-managed terminatio
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix upgrade test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix indentation
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use -r when copying dir
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add terraform variable parsing
* copy constellation conf
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove unnecessary line breaks
* add missing value
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add image fetching for CSP
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix quoting
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing input to internal lb test
* normalize Azure URLs.. Of course
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix expressions
* initsecret to hex
* update hexdump cmd
* add build test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add node / pod cidr outputs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* explicitly delete the state file
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing license header
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* always write all outputs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix list output
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove state-file and admin-conf on destroy
* dont use test payload
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* [remove] use self managed infra in manual e2e for testing
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* init: always skip infrastructure phase
* patch maa in workflow
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* default to Constellation-created infra in e2e test
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* Add apply command
* Mark init and upgrade apply as deprecated
* Use apply command in CI
* Add skippable phases for attestation config and cert SANs
---------
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
* [wip] use state file in CLI
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use state file in CLI
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
take clusterConfig from IDFile for compat
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
various fixes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
wip
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add GCP-specific values in Helm loader test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove unnecessary pointer
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* write ClusterValues in one step
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* move stub to test file
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove mention of id-file
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* move output to `migrateTerraform`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* unconditional assignments converting from idFile
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* move require block in go modules file
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fall back to id file on upgrade
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix linter check
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add notice to remove Terraform state check on manual migration
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add `name` field
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
fix name tests
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* return early if no Terraform diff
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* return infrastructure state even if no diff exists
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add TODO to remove comment
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use state-file in miniconstellation
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* cli: remove id-file (#2402)
* remove id-file from `constellation create`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add file renaming to handler
* rename id-file after upgrade
* use idFile on `constellation init`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove id-file from `constellation verify`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* linter fixes
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove id-file from `constellation mini`
* remove id-file from `constellation recover`
* linter fixes
* remove id-file from `constellation terminate`
* fix initSecret type
* fix recover argument precedence
* fix terminate test
* generate
* add TODO to remove id-file removal
* Update cli/internal/cmd/init.go
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
* fix verify arg parse logic
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add version test
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove id-file from docs
* add file not found log
* use state-file in miniconstellation
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove id-file from `constellation iam destroy`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove id-file from `cdbg deploy`
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
* use state-file in CI
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update orchestration docs
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
* add Metricbeat deployment to debugd
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* set metricbeat debugd image version
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix k8s deployment
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use 2 separate deployments
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* only deploy via k8s in non-debug-images
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing tilde
* remove k8s metrics
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* unify flag
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add cloud metadata processor to filebeat
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* ci: fix debugd logcollection (#2355)
* add missing keyvault access role
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bump logstash image version
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* bump filebeat / metricbeat image version
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* log used image version
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* use debugging image versions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* increase wait timeout for image upload
* add cloud metadata processor to filebeat
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix template locations in container
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix image version typo
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add filebeat / metricbeat users
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove user additions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* update workflow step name
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* only mount config files
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* document potential rc
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix IAM permissions in workflow
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix AWS permissions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* tidy
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add missing workflow input
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* rename action
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* pin image versions
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove unnecessary workflow inputs
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* add refStream input
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* remove inputs.yml dep
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* increase system metric period
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* fix linkchecker
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
---------
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
* refactor `debugd` file structure
* create `hack`-tool to deploy logcollection to non-debug clusters
* integrate changes into CI
* update fields
* update workflow input names
* use `working-directory`
* add opensearch creds to upgrade workflow
* make template func generic
* make templating func generic
* linebreaks
* remove magic defaults
* move `os.Exit` to main package
* make logging index configurable
* make templating generic
* remove excess brace
* update fields
* copy fields
* fix flag name
* fix linter warnings
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* remove unused workflow inputs
* remove makefiles
* fix command
* bazel: fix output paths of container
This fixes the output paths of builds within the container by mounting
directories to paths that exist on the host. We also explicitly set the
output path in a .bazelrc to the user specific path. The rc file is
mounted into the container and overrides the host rc.
Also adding automatic stop in case start is called and a containers
is already running.
Sym links like bazel-out and paths bazel outputs should generally work
with this change.
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* tabs -> spaces
---------
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
by setting the Azure SNP enforcement policy to equal in the weekly e2e.
The run should fail when there are unexpected ID Key digests used.
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
The existingConfig field is always set to true during create, as we use
the IAM create step to generate the config in all cases. Accordingly,
secret injection into config isn't needed anymore in create.
This fixes a bug where other parameters like Kubernetes version and
cluster name wouldn't be injected into the config due to existingConfig
being true.
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
* invalidate app client id field for azure and provide info
* remove TestNewWithDefaultOptions case
* fix test
* remove appClientID field
* remove client secret + rename err
* remove from docs
* otto feedback
* update docs
* delete env test in cfg since no envs set anymore
* Update dev-docs/workflows/github-actions.md
Co-authored-by: Otto Bittner <cobittner@posteo.net>
* WARNING to stderr
* fix check
---------
Co-authored-by: Otto Bittner <cobittner@posteo.net>
* variant: move into internal/attestation
* attesation: move aws attesation into subfolder nitrotpm
* config: add aws-sev-snp variant
* cli: add tf option to enable AWS SNP
For now the implementations in aws/nitrotpm and aws/snp
are identical. They both contain the aws/nitrotpm impl.
A separate commit will add the actual attestation logic.
