Commit Graph

1103 Commits

Author SHA1 Message Date
Daniel Weiße
4c8ce55e5a
cli: enable constellation apply to create new clusters (#2549)
* Allow creation of Constellation clusters using `apply` command
* Add auto-completion for `--skip-phases` flag
* Deprecate create command
* Replace all doc references to create command with apply

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-20 11:17:16 +01:00
Daniel Weiße
5e9e3de1a1
ci: start v2.14-pre window (#2610)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-17 10:34:35 +01:00
Malte Poll
ac8aac0e34
ci: allow jobs to install tools from pinned nixpkgs (#2605) 2023-11-16 14:41:34 +01:00
Moritz Sanft
2ccc2212c8
add missing runner value (#2602)
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-15 08:49:10 +01:00
Daniel Weiße
6d6ef66a31
ci: refactor teams notification action (#2600)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-15 08:48:13 +01:00
Moritz Sanft
fd72952738
checkout before selecting image (#2598)
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-14 10:33:59 +01:00
Moritz Sanft
8f2f8bdbbd
terraform: allow image to be empty (#2595)
* make image optional in the high level modules

* align azure variable description

* set defaults in convenience modules

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-11-13 20:13:24 +01:00
Moritz Sanft
8e4feb7e2a
terraform: add Terraform module for Azure (#2566)
* add Azure Terraform module

* add maa-patching command to cli

* refactor release process

* factor out image fetching to own action

* add CI

* generate

* fix some unnecessary changes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use `constellation maa-patch` in ci

* insecure flag when using debug image

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* only update maa url if existing

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* make node group zone optional on aws and gcp

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [remove] register updated workflow

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Revert "[remove] register updated workflow"

This reverts commit e70b9515b7eabbcbe0d41fa1296c48750cd02ace.

* create MAA

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* make maa-patching only run on azure

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add comment

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* require node group zone for GCP and AWS

* remove unnecessary bazel action

* stamp version to correct file

* refer to `maa-patch` command in docs

* run Azure test in weekly e2e

* comment / naming improvements

* remove sa_account resource

* disable spellcheck ot use "URL"

* `create_maa` variable

* don't write maa url to config

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* default to nightly image

* use input ref and stream

* fix command check

* don't set region in weekly e2e call

* patch maa if url is not empty

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove `create_maa` variable

* remove binaries

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove undefined input

* replace invalid attestation URL error message

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* fix punctuation

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* skip hidden commands in clidocgen

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* enable spellcheck before code block

* move spellcheck trigger out of info block

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix workflow dependencies

* let image default to CLI version

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-11-13 18:46:20 +01:00
Daniel Weiße
e8f0c58558
ci: fix maa-patch action for self-managed create (#2578)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-13 16:29:33 +01:00
Moritz Sanft
ae8025cd16
ci: fix path in self managed create test (#2574)
* fix path

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix path in doc

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-13 08:34:54 +01:00
Malte Poll
e11b1a0576 ci: use rbe for unit tests 2023-11-10 18:15:59 +01:00
Adrian Stobbe
22d82a59ed
terraform: Terraform module for GCP (#2553) 2023-11-10 13:32:18 +01:00
Adrian Stobbe
b765231175
deps: bump Go to 1.21.4 (#2569)
Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
2023-11-09 20:17:14 +01:00
Daniel Weiße
e9eb75bb83
ci: dont run SNP version upload on v2.12.0 CLI tests (#2568)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-09 08:26:42 +01:00
Adrian Stobbe
cea6204b37
terraform: Terraform module for AWS (#2503) 2023-11-08 19:10:01 +01:00
Daniel Weiße
0bac72261d
ci: fix failure issue creation for Windows e2e test (#2565)
* Add missing bazel set-up in windows e2e-failure notify
* Enable bazel caching for e2e-upgrade test
* Remove whitespace

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-08 15:27:40 +01:00
Daniel Weiße
273a6ba853
ci: use structured logging for all parts of the malicious-join test (#2557)
* Use structured logging for all parts of the test
* Fix malicious-join image build action

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-07 09:02:19 +01:00
Otto Bittner
b0ee39a96d ci: publish s3proxy chart during release 2023-11-06 10:21:11 +01:00
Otto Bittner
8ebd813480 s3proxy: ship as helm chart 2023-11-06 10:21:11 +01:00
Otto Bittner
a19227cac9 s3proxy: initial e2e tests and workflows 2023-11-06 10:21:11 +01:00
Malte Poll
76d7d30245
ci: do not upload terraform logs (#2554) 2023-11-04 19:14:29 +01:00
Moritz Sanft
813405f080
ci: share e2e workflow (#2550)
* re-use workflow in internal LB e2e test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add self-managed infra workfloww

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-11-03 16:27:28 +01:00
renovate[bot]
17b0915a10
deps: update docker/build-push-action action to v5 (#2531)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-11-02 10:13:14 +01:00
Daniel Weiße
e8cf0f59bd
ci: force delete files on self-managed destroy (#2538)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-10-31 12:45:10 +01:00
Moritz Sanft
8d08ace0b5
ci: mark self-managed infrastructure tests (#2537)
* mark self-managed infrastructure tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add TODO

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-10-30 14:33:58 +01:00
renovate[bot]
b3002d21e3
deps: update dependency Pillow to v10 [SECURITY] (#2400)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-10-27 14:22:34 +02:00
Moritz Sanft
402a8834ca
ci: add e2e test for self-managed infrastructure (#2472)
* add self-managed infra e2e test

* self-managed terminatio

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix upgrade test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix indentation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use -r when copying dir

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add terraform variable parsing

* copy constellation conf

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove unnecessary line breaks

* add missing value

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add image fetching for CSP

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix quoting

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add missing input to internal lb test

* normalize Azure URLs.. Of course

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix expressions

* initsecret to hex

* update hexdump cmd

* add build test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add node / pod cidr outputs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* explicitly delete the state file

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add missing license header

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* always write all outputs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix list output

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove state-file and admin-conf on destroy

* dont use test payload

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [remove] use self managed infra in manual e2e for testing

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* init: always skip infrastructure phase

* patch maa in workflow

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* default to Constellation-created infra in e2e test

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-10-27 09:37:26 +02:00
Daniel Weiße
149fedb90f
cli: add constellation apply command to replace init and upgrade apply (#2484)
* Add apply command
* Mark init and upgrade apply as deprecated
* Use apply command in CI
* Add skippable phases for attestation config and cert SANs

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-10-26 15:59:13 +02:00
renovate[bot]
e445dac590
deps: update docker/metadata-action action to v5 (#2512)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-10-26 08:19:55 +02:00
renovate[bot]
0563ce7336
deps: update aws-actions/configure-aws-credentials action to v4 (#2510)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-10-26 08:18:37 +02:00
renovate[bot]
0e7462728a
deps: update docker/login-action action to v3 (#2511)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-10-25 17:40:25 +02:00
Paul Meyer
1261ccb569 Revert "ci: execute unit tests and tidy check against merge of PR branch and main (#2452)"
This reverts commit 43f7d9f736.
2023-10-24 14:43:09 +02:00
Adrian Stobbe
5d640ff4f9
ci: fix win build (#2499) 2023-10-23 14:39:45 +02:00
Adrian Stobbe
9c1c876830
pick random azure region (#2483) 2023-10-20 13:38:08 +02:00
Daniel Weiße
eeaba28d02
ci: remove force flag from CLI commands (#2479)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-10-20 08:10:26 +02:00
Malte Poll
ee54b71a9e
ci: build rpmdb explicitly (#2476) 2023-10-19 08:34:17 +02:00
Adrian Stobbe
5819a11d25
api: for Azure attestationconfigapi use TCB values from SNP report instead of MAA token (#2429) 2023-10-17 17:36:50 +02:00
3u13r
0c89f57ac5
Support internal load balancers (#2388)
* arch: support internal lb on Azure

* arch: support internal lb on GCP

* helm: remove lb svc from verify deployment

* arch: support internal lb on AWS

* terraform: add jump hosts for internal lb

* cli: expose internalLoadBalancer in config

* ci: add e2e-manual-internal

* add in-cluster endpoint to terraform output
2023-10-17 15:46:15 +02:00
Malte Poll
1a141c3972
image: add rpm database as build output (#2442)
For reproducibility reasons, the final OS image does not ship the rpm database in sqlite format.
For supply chain security and license compliance reasons, we want to keep the rpm database of os images as a detached build artifact.
We now ship a reproducible, human readable manifest of installed rpms in the image under "/usr/share/constellation/packagemanifest" and upload the full rpm database as a build artifact (rpmdb.tar).
2023-10-17 14:04:41 +02:00
Malte Poll
e93de82c0b
image: use systemd-dissect from the host when calculating measurements (#2473)
* image: use systemd-dissect from the host when calculating measurements

* ci: setup bazel and nix toolchains before merging os image measurements
2023-10-17 13:26:07 +02:00
renovate[bot]
abbe3853cb
deps: update cachix/install-nix-action action to v23 (#2469)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-10-17 10:48:52 +02:00
renovate[bot]
4fbf94ceb8
deps: update golang:1.21.3 Docker digest to 24a0937 (#2468)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-10-17 10:48:38 +02:00
Malte Poll
c424ec8825
ci: fix PR label for rpm updates (#2464) 2023-10-17 09:46:37 +02:00
Malte Poll
a9f245752c ci: update rpm lockfile once per week 2023-10-17 09:23:56 +02:00
Daniel Weiße
afb154ceb7
ci: add missing quotation marks for region flag + revert to northeurope (#2459)
* Add missing quotation marks for region flag
* Revert default Azure region to northeurope

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-10-16 16:20:32 +02:00
Malte Poll
43f7d9f736
ci: execute unit tests and tidy check against merge of PR branch and main (#2452) 2023-10-16 09:58:45 +02:00
Malte Poll
33d53a1da9
ci: remove python from codeql (#2451) 2023-10-13 12:37:13 +02:00
3u13r
9e1a0c06bf
Deps: bump Go to 1.21.3 (#2450)
* build: override go version to 1.21.3

* build: re-enable cachix

* ci: set $USER if not set
2023-10-12 16:11:02 +02:00
Malte Poll
e80e6076b4 ci: install nix together with Bazel 2023-10-12 14:42:24 +02:00
Malte Poll
d22f53d7cc bazel: always use nix 2023-10-12 14:42:24 +02:00
renovate[bot]
907b74a31f
deps: update module golang.org/x/tools to v0.14.0 (#2446)
* deps: update module golang.org/x/tools to v0.14.0

* ci: don't error on cleanup

---------

Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
2023-10-12 14:07:59 +02:00
renovate[bot]
a1c84cb080
deps: update GitHub action dependencies (#2437)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-10-11 13:49:50 +02:00
renovate[bot]
117c9c53f8
deps: update golang Docker tag to v1.21.3 (#2436)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-10-11 13:43:53 +02:00
Adrian Stobbe
b35a042abd
fix verify test (#2424) 2023-10-10 20:47:53 +02:00
Malte Poll
02c04f057f
ci: start v2.13-pre window (#2426) 2023-10-10 18:33:04 +02:00
Moritz Sanft
005e865a13
cli: use state file on init and upgrade (#2395)
* [wip] use state file in CLI

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use state file in CLI

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

take clusterConfig from IDFile for compat

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

various fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

wip

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add GCP-specific values in Helm loader test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove unnecessary pointer

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* write ClusterValues in one step

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* move stub to test file

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove mention of id-file

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* move output to `migrateTerraform`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* unconditional assignments converting from idFile

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* move require block in go modules file

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fall back to id file on upgrade

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linter check

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add notice to remove Terraform state check on manual migration

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add `name` field

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

fix name tests

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* return early if no Terraform diff

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* return infrastructure state even if no diff exists

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add TODO to remove comment

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use state-file in miniconstellation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* cli: remove id-file (#2402)

* remove id-file from `constellation create`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add file renaming to handler

* rename id-file after upgrade

* use idFile on `constellation init`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from `constellation verify`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* linter fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from `constellation mini`

* remove id-file from `constellation recover`

* linter fixes

* remove id-file from `constellation terminate`

* fix initSecret type

* fix recover argument precedence

* fix terminate test

* generate

* add TODO to remove id-file removal

* Update cli/internal/cmd/init.go

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* fix verify arg parse logic

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add version test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from docs

* add file not found log

* use state-file in miniconstellation

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from `constellation iam destroy`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove id-file from `cdbg deploy`

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>

* use state-file in CI

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update orchestration docs

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-10-09 13:04:29 +02:00
Malte Poll
dbf40d185c
ci: free up disk space on GitHub hosted runners (#2419) 2023-10-09 11:00:22 +02:00
Daniel Weiße
8bb23c373b
ci: ensure API is only updated if image and measurements are uploaded (#2413)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-10-06 14:34:06 +02:00
Daniel Weiße
ce2465c3c7
ci: use West US region for Azure e2e test until problems are resolved (#2414)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-10-06 11:43:02 +02:00
Paul Meyer
b1d5d13990 github: replace discord with GitHub discussions
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-10-05 16:57:19 +02:00
Paul Meyer
53bfb3b71a github: use new issue forms instead of template
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-10-05 16:57:19 +02:00
Moritz Sanft
2d797874c7
ci: add msanft to list of possible e2e assignees (#2410)
* add msanft to list of possible e2e assignees

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add msanft to teams card

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-10-05 13:54:45 +02:00
Moritz Sanft
13e9359b5c
remove unnecessary link (#2407) 2023-10-05 10:05:45 +02:00
Malte Poll
6ea0b38a66 ci: add large runner as allowed label 2023-10-04 13:17:44 +02:00
Moritz Sanft
0885646034
github: add AB ticket link to PR template (#2397)
* add Azure DevOps ticket to PR template

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* make additional info not optional

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-10-04 10:26:10 +02:00
Malte Poll
b4fb8439d0
ci: use larger runners for os image pipeline (#2399) 2023-10-04 10:13:43 +02:00
Malte Poll
627a4b6cbb ci: enable nix binary cache 2023-09-29 14:09:58 +02:00
Malte Poll
ed4d4d83fd ci: remove dependency on pseudo-version tool 2023-09-29 14:09:58 +02:00
Malte Poll
055fb32918 ci: stop using raw "go run" 2023-09-29 14:09:58 +02:00
Malte Poll
85b4101dc3
deps: update go to 1.21.1 (#2389) 2023-09-28 22:29:14 +02:00
Daniel Weiße
36c8cf2fd8
ci: fix whitespace in url for some tests (#2390)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-28 16:31:22 +02:00
Malte Poll
1da5153627 ci: use nix + mkosi during os image build 2023-09-27 17:58:19 +02:00
Moritz Sanft
f4b2d02194
ci: collect cluster metrics to OpenSearch (#2347)
* add Metricbeat deployment to debugd

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* set metricbeat debugd image version

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix k8s deployment

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use 2 separate deployments

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* only deploy via k8s in non-debug-images

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add missing tilde

* remove k8s metrics

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* unify flag

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add cloud metadata processor to filebeat

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* ci: fix debugd logcollection (#2355)

* add missing keyvault access role

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bump logstash image version

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* bump filebeat / metricbeat image version

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* log used image version

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use debugging image versions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* increase wait timeout for image upload

* add cloud metadata processor to filebeat

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix template locations in container

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix image version typo

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add filebeat / metricbeat users

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove user additions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update workflow step name

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* only mount config files

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* document potential rc

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix IAM permissions in workflow

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix AWS permissions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* tidy

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add missing workflow input

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* rename action

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* pin image versions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove unnecessary workflow inputs

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add refStream input

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove inputs.yml dep

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* increase system metric period

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linkchecker

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-09-27 16:17:31 +02:00
renovate[bot]
9c1e6295d4 deps: update dependency cryptography to v41.0.4 [SECURITY] 2023-09-27 13:28:08 +02:00
renovate[bot]
5773bca3bb
deps: update golang Docker tag to v1.21.1 (#2370)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-09-26 13:19:54 +02:00
Daniel Weiße
7aba42baa5
ci: add more filters to e2e failure OpenSearch links (#2358)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-26 13:17:59 +02:00
3u13r
b9f1a0c17d
ci: don't pull from detached head (#2335) 2023-09-26 11:15:28 +02:00
Paul Meyer
f5ddcf984e ci: recreate coverage report on push
This keeps the report in focus for PRs with longer discussion and
repeated pushes.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-09-26 10:36:32 +02:00
3u13r
8f5a2867b4
ci: remove verify test for macos during release (#2338) 2023-09-25 13:51:08 +02:00
3u13r
d0e3e494ba
ci: fix kubectl version retrieval (#2356) 2023-09-25 11:59:36 +02:00
Adrian Stobbe
118f789c2f
cli: fix Azure SEV-SNP latest version logic (#2343) 2023-09-25 11:53:02 +02:00
Daniel Weiße
33c9f16e82
ci: add missing notification hook for MiniConstellation test (#2352)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-22 13:25:20 +02:00
Moritz Sanft
8f549f0622
add sleep after nop test (#2350)
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-09-21 10:13:59 +02:00
Moritz Sanft
0a28cdecb2
ci: add malicious join test (#2304)
* malicious node join test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add e2e build tag

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add namespaces to job apply

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix image and workflow

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linter checks

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* build instructions in Dockerfile

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* only print important flags

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use `malicious-join` namespace

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* build with bazel

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* order imports

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* test cases

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* various fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add missing quotes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix typo

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* Update e2e/malicious-join/malicious-join.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update e2e/malicious-join/malicious-join.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* use switch case

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update image version

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linter checks

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* wip

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* various fixes

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* update buildfiles

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* use workdir

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix linter

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* add required permissions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove permissions

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* remove packages: write permission at step

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* login to registry

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix typo

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix log

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* source base lib

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix sourcing order

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* export after definition

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* fix script header

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* dont exit after -e flag has been set

Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-09-15 17:21:42 +02:00
3u13r
0982587a4d
chore: bump version.txt (#2334)
* chore: bump version.txt

* ci: bump upgrade version
2023-09-14 14:42:16 +02:00
3u13r
a03c686066
ci: bump install helm action (#2337) 2023-09-14 14:29:46 +02:00
3u13r
996542a075
ci: install helm when deploying log collection (#2333) 2023-09-14 12:03:13 +02:00
Malte Poll
f399fe148b
api: rename references to moved hack/configapi (#2329)
Fixes 376bc6d39f
2023-09-11 10:57:32 +02:00
Malte Poll
7376c6a998
ci: remove aspect workflows (#2324) 2023-09-08 14:19:14 +02:00
3u13r
6cb506bca7
deps: bump go version (#2318) 2023-09-08 10:19:07 +02:00
Daniel Weiße
442f904ceb
ci: don't automatically create git tag in release pipeline (#2316)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-07 08:47:01 +02:00
Otto Bittner
d3c940a6a0
ci: use virtee project for sev-snp-measure-go (#2307)
Our port is part of the virtee org. Lets use it to keep it up-to-date.
2023-09-06 14:02:53 +02:00
Moritz Sanft
224178b936
use updated url (#2308)
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-09-06 08:23:05 +02:00
Otto Bittner
376bc6d39f api: move hack/configapi into internal/api
The tool has an e2e test and is part of our production pipeline.
2023-09-04 11:20:13 +02:00
Otto Bittner
97dc15b1d1 staticupload: correctly set invalidation timeout
Previously the timeout was not set in the client's constructor, thus the
zero value was used. The client did not wait for invalidation.
To prevent this in the future a warning is logged if wait is disabled.

Co-authored-by: Daniel Weiße <dw@edgeless.systems>
2023-09-04 11:20:13 +02:00
Otto Bittner
7ffa1344e3 Configapi: pipeline to run e2e test for CLI
Co-authored-by: Paul Meyer <pm@edgeless.systems>
2023-09-04 11:20:13 +02:00
Daniel Weiße
d35822cff8
ci: add hint about cleaning up lingering resources on failure (#2300)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-04 10:09:35 +02:00
Daniel Weiße
f3218f4197
ci: fix incorrect signing key for sbom signature and wrong public key in release artifacts (#2296)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-01 16:40:09 +02:00
Daniel Weiße
a4d6016ae5
ci: make sure permissions to terminate cluster are always set for e2e upgrade (#2298)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-09-01 16:15:13 +02:00
Paul Meyer
11efc8d512 ci: comment Go coverage report on PR
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-28 15:44:07 +02:00
Adrian Stobbe
7c9a78fe51
make release idempotent (#2278) 2023-08-28 09:21:25 +02:00
Moritz Sanft
a671367794
iamcreate: collect Terraform logs (#2289)
Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
2023-08-28 09:01:03 +02:00
Adrian Stobbe
f15c5444da
upgrade test from v2.10.1 (#2279) 2023-08-24 09:15:43 +02:00
Paul Meyer
abd5cdf362 ci: fix ccm build when no new version are found
Previous output of findvers.sh would be [""] in case no version were
found, now the output is []. Also, GitHub cannot handle empty arrays
in the matrix field, so we add an if and check if the array is empty.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-23 15:05:22 +02:00
Moritz Sanft
54c52f17f6
ci: fix Windows e2e test (#2255)
* fix Windows e2e test

* check if caller workflow was scheduled

* inherit secrets
2023-08-21 14:36:28 +02:00
Malte Poll
d6624a472d
bazel: correctly set buildbuddy api key (#2262) 2023-08-21 12:14:47 +02:00
Moritz Sanft
60bf770e62
ci: logcollection to OpenSearch in non-debug clusters (#2080)
* refactor `debugd` file structure

* create `hack`-tool to deploy logcollection to non-debug clusters

* integrate changes into CI

* update fields

* update workflow input names

* use `working-directory`

* add opensearch creds to upgrade workflow

* make template func generic

* make templating func generic

* linebreaks

* remove magic defaults

* move `os.Exit` to main package

* make logging index configurable

* make templating generic

* remove excess brace

* update fields

* copy fields

* fix flag name

* fix linter warnings

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

* remove unused workflow inputs

* remove makefiles

* fix command

* bazel: fix output paths of container

This fixes the output paths of builds within the container by mounting
directories to paths that exist on the host. We also explicitly set the
output path in a .bazelrc to the user specific path. The rc file is
mounted into the container and overrides the host rc.
Also adding automatic stop in case start is called and a containers
is already running.
Sym links like bazel-out and paths bazel outputs should generally work
with this change.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

* tabs -> spaces

---------

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-21 08:01:33 +02:00
Malte Poll
6c6e2ca2f4 bazel: adopt best practices for bazelrc
Options adapted from https://docs.aspect.build/guides/bazelrc

bazel: adopt best practices for bazelrc

Options adapted from https://docs.aspect.build/guides/bazelrc
2023-08-18 16:36:13 +02:00
Malte Poll
339492f314
ci: add aspect workflows (#2258) 2023-08-18 11:31:24 +02:00
3u13r
8325f99b09
deps: support Kubernetes 1.28 (#2242) 2023-08-18 11:13:24 +02:00
3u13r
38dcb3dbab
ci: fix recover wait condition (#2257) 2023-08-18 10:43:51 +02:00
Paul Meyer
c6819b8d31 ci: automatically build GCP CCM container
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-16 16:31:04 +02:00
Paul Meyer
001219d26a ci: remove azure-cvm runner
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-16 11:41:02 +02:00
Paul Meyer
f43888bb6f ci: remove azure-snp-reporter workflow
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-16 11:41:02 +02:00
Paul Meyer
f604a8dfd2 e2e: upload TCB versions in verify test
The TCP versions are extracted from the MAA token, that itself is taken
from the verify command output. The configapi is adapted to directly
work on the MAA claims JSON.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-16 11:41:02 +02:00
Adrian Stobbe
5574092bcf
ref: update code for 2.11 (#2239)
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2023-08-16 11:34:58 +02:00
renovate[bot]
841463d11e
deps: update GitHub action dependencies (#2234)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-15 14:38:48 +02:00
Malte Poll
5c1bca5928
ci: set bazlrc options for "common" instead of "build" if they should always apply (#2227)
Most flags set in the bazelrc in CI are always applicable, so we set them with the common prefix.
2023-08-15 10:34:42 +02:00
Malte Poll
b12f2867dd
ci: set bazel build event stream timeout to 600s (#2223) 2023-08-14 14:26:59 +02:00
Daniel Weiße
ef4d789dc8
ci: fix notify trigger in e2e upgrade workflow (#2221)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-14 11:45:04 +02:00
Adrian Stobbe
c7bbf90989
ci: add e2e-mini to daily test (#2217) 2023-08-14 08:13:29 +02:00
Paul Meyer
de9e841853 e2e: use Kubernetes 1.26 in daily test
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-11 14:06:35 +02:00
renovate[bot]
d4e8d25636
deps: update golang:1.20.7 Docker digest to 37c7d85 (#2213)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-11 13:44:55 +02:00
Daniel Weiße
066fff951f
ci: correctly default to false for upgrade e2e notifications (#2208)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-11 09:05:44 +02:00
Daniel Weiße
154d1cc3cf Make kubernetes version optional in e2e tests
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-10 15:46:59 +02:00
Daniel Weiße
0dd62fc59d
ci: allow setting region/zone for e2e tests (#2205)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-10 12:53:40 +02:00
Paul Meyer
670c20b18c e2e: cleanup test inputs
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-09 18:42:04 +02:00
Paul Meyer
e466ce2f26 e2e: detect changing idKeyDigests on azure
by setting the Azure SNP enforcement policy to equal in the weekly e2e.
The run should fail when there are unexpected ID Key digests used.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-09 16:45:42 +02:00
3u13r
c43210c90b
ci: fix recover test (#2162)
* ci: fix recover test
Previously the test failed if not all nodes were recovered by the cli.

* ci: refactor recover test
2023-08-09 16:01:43 +02:00
Otto Bittner
d5e88115a0
ci: replace mastersecret flag in recover (#2186) 2023-08-09 13:00:27 +02:00
Paul Meyer
29dcb72bea e2e: remove existingConfig field
The existingConfig field is always set to true during create, as we use
the IAM create step to generate the config in all cases. Accordingly,
secret injection into config isn't needed anymore in create.
This fixes a bug where other parameters like Kubernetes version and
cluster name wouldn't be injected into the config due to existingConfig
being true.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-09 12:36:36 +02:00
Adrian Stobbe
d1febd7276
fix e2e upgrade config migration (#2179) 2023-08-09 10:28:13 +02:00
Paul Meyer
eb2f3c3021 ci: verify all pods in verify e2e
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-08 18:46:13 +02:00
Adrian Stobbe
9dcad0ed16
fix upgrade test by only setting nodeGroup for >v2.9 (#2176) 2023-08-07 11:02:00 +02:00
renovate[bot]
cc10613252
deps: update dependency cryptography to v41.0.3 [SECURITY] (#2150)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-08-07 09:23:18 +02:00
Adrian Stobbe
3ea7fddb03
fix upgrade test by adding deprecated flags(#2173) 2023-08-07 08:38:14 +02:00
Malte Poll
92b0cd5a21 ci: update actions to use nodeGroups and remove deprecated flags 2023-08-04 12:36:45 +02:00
Moritz Sanft
af05e17f49
ci: keep embedded measurements if stable image is used (#2109)
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Malte Poll <mp@edgeless.systems>
2023-08-04 09:43:32 +02:00
Paul Meyer
dccb1dfde9 ci: remove unused actions
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-08-03 16:09:06 +02:00
3u13r
a983b08262
deps: bump go version (#2156) 2023-08-03 12:07:27 +02:00
Daniel Weiße
321474c356
ci: remove old incompatible test option (#2149)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-08-02 08:18:55 +02:00
Otto Bittner
002c3a9a32
ci: upgrade fromVersion for upgrade tests (#2145)
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-08-01 10:34:11 +02:00
Otto Bittner
867f7490a2
ci: clone constellation repo into separate dir (#2143) 2023-08-01 10:13:10 +02:00
renovate[bot]
5fa50c7fcc
deps: update dependency certifi to v2023.7.22 [SECURITY] (#2139)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-07-31 15:59:28 +02:00
Otto Bittner
583d3021fa
ci: parse ovmf binaries from metadata (#1962)
Subsequently the metadata will be uploaded to the
attestationconfigapi so the CLI can use the data to
precalculate measurements.
2023-07-27 13:29:43 +02:00
Adrian Stobbe
a3184af7a2
cli: add iam upgrade apply (#2132)
* add new iam upgrade apply

* remove iam tf plan from upgrade apply check

* add iam migration warning to upgrade apply

* update release process

* document migration

* Apply suggestions from code review

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* add iam upgrade

* remove upgrade dir check in test

* ask only without --yes

* make iam upgrade provider specific

* test without seperate logins

* remove csi and only add conditionally

* Revert "test without seperate logins"

This reverts commit 05a12e59c9.

* fix msising cred

* support iam migration for all csps

* add iam upgrade label

---------

Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-07-26 17:29:03 +02:00
Paul Meyer
342a71fa36 bazel: fix container versioning
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-07-26 13:46:27 +02:00
Paul Meyer
c8bc3ea5ee ci: build bazel container
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-07-25 15:41:55 +02:00
Adrian Stobbe
a87b7894db
aws: use new LB controller to fix SecurityGroup cleanup on K8s service deletion (#2090)
* add current chart

add current helm chart

* disable service controller for aws ccm

* add new iam roles

* doc AWS internet LB + add to LB test

* pass clusterName to helm for AWS LB

* fix update-aws-lb chart to also include .helmignore

* move chart outside services

* working state

* add subnet tags for AWS subnet discovery

* fix .helmignore load rule with file in subdirectory

* upgrade iam profile

* revert new loader impl since cilium is not correctly loaded

* install chart if not already present during `upgrade apply`

* cleanup PR + fix build + add todos

cleanup PR + add todos

* shared helm pkg for cli install and bootstrapper

* add link to eks docs

* refactor iamMigrationCmd

* delete unused helm.symwallk

* move iammigrate to upgrade pkg

* fixup! delete unused helm.symwallk

* add to upgradecheck

* remove nodeSelector from go code (Otto)

* update iam docs and sort permission + remove duplicate roles

* fix bug in `upgrade check`

* better upgrade check output when svc version upgrade not possible

* pr feedback

* remove force flag in upgrade_test

* use upgrader.GetUpgradeID instead of extra type

* remove todos + fix check

* update doc lb (leo)

* remove bootstrapper helm package

* Update cli/internal/cmd/upgradecheck.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* final nits

* add docs for e2e upgrade test setup

* Apply suggestions from code review

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update cli/internal/helm/loader.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update cli/internal/cmd/tfmigrationclient.go

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* fix daniel review

* link to the iam permissions instead of manually updating them (agreed with leo)

* disable iam upgrade in upgrade apply

---------

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Malte Poll
2023-07-24 10:30:53 +02:00
Otto Bittner
c58d03a7b8
ci: fix ahead-check for working branch (#2120)
Also list remote branches during on-release
2023-07-19 17:48:29 +02:00
renovate[bot]
dc373971b2
deps: update dependency cryptography to v41.0.2 [SECURITY] (#2106)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-07-18 15:33:23 +02:00
Daniel Weiße
f52c6752e2
ci: update failure tasks (#2087)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-17 13:46:20 +02:00
Daniel Weiße
484b6c5c24
ci: combine node count inputs into one (#2084)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-17 13:45:53 +02:00
Otto Bittner
4f1ed669d4
ci: increase autoscaling timeout to 25m (#2103)
During testing on AWS SNP we can sometimes observe the scaling
take longer than 15 mins due to slow setup times of SNP machines.
Eventually the scaling works as expected.
2023-07-17 10:30:14 +02:00
Otto Bittner
c1c48f19bf chore: bump e2e-upgrade fromVersion 2023-07-17 10:29:43 +02:00
Moritz Sanft
43076e96a6
ci: fix resource selection for serial log downloading (#2101)
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-07-13 16:28:33 +02:00
Otto Bittner
6ed8fce6b0
ci: separate PCR0 value for aws-sev-snp variant (#2100)
Co-authored-by: Malte Poll <mp@edgeless.systems>
2023-07-13 11:37:47 +02:00
Otto Bittner
ef404b5839
ci: use us-east-2 for e2e tests (#2091)
We have much higher quotas there and thus don't need to wait for
the increase in eu-west-1.
2023-07-12 10:51:52 +02:00
Paul Meyer
01f518f0a4
deps: update to Go v1.20.6 (#2093)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-07-12 09:51:40 +02:00
renovate[bot]
c1c4e72c61
deps: update golang Docker tag to v1.20.6 (#2092)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-07-12 08:46:51 +02:00
Otto Bittner
f97edd512d
ci: use 2.8 as fromVersion in release upgrade test (#2086)
The current value (2.7.1) is outdated since the release of 2.8.
2023-07-11 09:56:43 +02:00
Otto Bittner
cfa3bb6276
ci: do not build additional streams (#2085)
Large amounts of uploaded data seem to break the GH Actions cache.
2023-07-10 17:46:08 +02:00
Moritz Sanft
184530a80d
ci: update aws asg resource selector (#1991)
* update resource selector

* tidy

* fix shellcheck

* bazel tidy
2023-07-10 11:13:37 +02:00
Adrian Stobbe
304fbf04e6
ci: fix notify e2e failure (#2078) 2023-07-10 10:44:30 +02:00
Malte Poll
c6230ff8ca
ci: add constellation-windows-amd64.exe to release artifacts uploaded to GitHub (#2075) 2023-07-10 10:21:48 +02:00
Adrian Stobbe
fafafb48d7 pin dependency for aws-snp-launchmeasurement 2023-07-07 16:44:31 +02:00
Malte Poll
6c5ad09a93
ci: build all streams on release (#2058) 2023-07-07 12:09:15 +02:00
Adrian Stobbe
2436b8da34
fix wrong name (#2055) 2023-07-07 11:53:39 +02:00
Adrian Stobbe
4434abbde2
more debug output for e2e notify (#2035) 2023-07-06 15:17:58 +02:00
renovate[bot]
0b892f23e6
deps: update golang:1.20.5 Docker digest to 7f2cf49 (#2022)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-07-05 15:45:36 +02:00
Adrian Stobbe
3eecb5d7b2
feat: get notified in Teams on E2E test failure ticket (#2021)
* init

* update

* can only include selected entity in request
2023-07-05 15:37:38 +02:00
Malte Poll
46d69abe10
bazel: rewrite pseudo-version stamping in bash (#2020)
* bazel: simplify workspace_status command to only depend on bash and git
* bazel: remove pseudo-version freshness code
2023-07-05 14:42:18 +02:00
Paul Meyer
7968d165c6 ci: use strict semver for gcp guest agent image
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-07-04 13:23:33 +02:00
Daniel Weiße
90dbeae16b
cli: fix duplicate backup creation during upgrade apply (#1997)
* Use CLI to fetch measurements in e2e test

* Abort helm service upgrade early if user confirmation is missing

* Add container push to CLI build action

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-03 15:13:36 +02:00
renovate[bot]
576b48c8b7
deps: update GitHub action dependencies (#1848)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-07-03 08:19:10 +02:00
Adrian Stobbe
00ee11084e
add e2e mini to weekly (#1982) 2023-06-30 10:05:24 +02:00
Daniel Weiße
a241a84770
ci: use generate-config flag for old CLI versions (#1984)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-06-29 15:46:36 +02:00
Malte Poll
6dd8a571ec
ci: fix expected value for PCR7 on AWS (#1979)
This has changed when upgrading to Fedora 38.
It didn't surface as a bug since the PCR is marked as warnOnly.
2023-06-28 15:33:14 +02:00
miampf
77b28cb5e7
cli: change generate-config flag to update-config flag (#1897) 2023-06-28 12:47:44 +00:00
Malte Poll
78fb0066e4
ci: add automated tests for reproducible builds (#1914)
* ci: reproducible builds test
* deps: upgrade actionlint to support macos-13 runners
2023-06-23 12:12:32 +02:00
Otto Bittner
114103c46b
ci: download bootlogs in correct aws region (#1956) 2023-06-22 17:56:05 +02:00
Moritz Sanft
94b21e11ad
ci: Windows cli tests (#1859)
* wip: add windows e2e test

* wip: register windows e2e tests

* remove registration

* wip: change CLI artifact name

* basic windows test

* checkout repo

* use correct iam create command

* remove trademarked name

* enable debug logs

* add pwsh liveliness check script

* delimiters

* set kubeconfig env var

* test

* use setx to set env var

* set envvar before liveness probe

* explicitly set kubeconfig
2023-06-21 12:05:04 +02:00
Daniel Weiße
eb1e1502c1
ci: run cdbg with debug verbosity (#1953)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-06-21 10:26:22 +02:00
Moritz Sanft
f3c2198a9a
ci: improve pr template (#1946)
* improve PR template

* Update .github/pull_request_template.md

Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>

---------

Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
2023-06-21 08:59:29 +02:00
renovate[bot]
d2c4cd1785
deps: update aws-actions/configure-aws-credentials action to v2 (#1950)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
2023-06-20 18:59:07 +02:00
renovate[bot]
3f714f538b
deps: update peter-evans/create-pull-request action to v5 (#1949)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
2023-06-20 16:37:01 +02:00
renovate[bot]
684b61ac2b
deps: update docker/build-push-action action to v4 (#1948)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
2023-06-20 13:39:32 +02:00
renovate[bot]
5bf59808e1
deps: update cachix/install-nix-action action to v22 (#1947)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
2023-06-20 13:08:52 +02:00
renovate[bot]
de2c21b555
deps: update Python dependencies (#1888)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
2023-06-20 11:04:48 +02:00
Adrian Stobbe
7dcd8c3dab
dev-docs: refactor and add information for newbies (#1912)
* refactor dev-docs structure and add information

* improve doc

* Update dev-docs/workflows/create-debug-cluster.md

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* Update dev-docs/workflows/create-debug-cluster.md

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* pr feedback daniel

* Update dev-docs/README.md

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>

* move to howto again

* split up dev-setup and pull-request into sep files

* fix backticks

* add writing style convention + testing repo

* remove OSS cluster + reduce plugins vs code

* update bazel pre-pr doc

* ghcr img private hint

* add fetch measurement + provider sub-directory hint

* add label doc + pr title check in template

* add OSS build comment

* Update CONTRIBUTING.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update CONTRIBUTING.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update dev-docs/README.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* Update dev-docs/workflows/dev-setup.md

Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>

* thomas feedback

* add go proverb mention

---------

Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-06-19 17:39:43 +02:00
Paul Meyer
103a757557
deps: upgrade sonobuoy to v0.56.17 (#1937)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-06-15 16:54:38 +02:00
Malte Poll
264b2df902
deps: upgrade to Fedora 38 (#1909)
* image: upgrade mkosi distro version to Fedora 38
* image: remove downgrade of GCP kernel
* ci: upgrade expected measurements for Fedora 38
* deps: upgrade bazeldnf packages to Fedora 38
* deps: upgrade container images to Fedora 38
2023-06-15 16:50:35 +02:00
Adrian Stobbe
159d28a2c7
doc: add context to PR template (#1932)
* add context to PR template

* Update pull_request_template.md
2023-06-15 09:13:47 +02:00
Otto Bittner
c33ab624c1
ci: upgrade fromVersion in e2e-upgrade (#1931)
We released 2.8 so we need to test that it can upgrade to HEAD.
2023-06-15 07:49:30 +02:00
Adrian Stobbe
07de6482b2
config: drop support for deprecated Azure's service principal authentication (#1906)
* invalidate app client id field for azure and provide info

* remove TestNewWithDefaultOptions case

* fix test

* remove appClientID field

* remove client secret + rename err

* remove from docs

* otto feedback

* update docs

* delete env test in cfg since no envs set anymore

* Update dev-docs/workflows/github-actions.md

Co-authored-by: Otto Bittner <cobittner@posteo.net>

* WARNING to stderr

* fix check

---------

Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-06-14 17:50:57 +02:00
Otto Bittner
7a1c70d7e5
ci: replace katexochen with elchead in assignee list (#1928)
katexochen is currently working on CoCo and not
involved in active development.
2023-06-14 11:44:45 +02:00
Malte Poll
ee77e3922a
ci: explicitly add CLI signature as release artifact (#1917) 2023-06-14 09:56:11 +02:00
3u13r
b71b5103ae
ci: migrate e2e lb test to bazel (#1892)
* ci: migrate lb e2e test to bazel
* ci: disable shared bazel cache on github runners
2023-06-09 16:59:19 +02:00
Otto Bittner
8f21972aec
attestation: add awsSEVSNP as new variant (#1900)
* variant: move into internal/attestation
* attesation: move aws attesation into subfolder nitrotpm
* config: add aws-sev-snp variant
* cli: add tf option to enable AWS SNP

For now the implementations in aws/nitrotpm and aws/snp
are identical. They both contain the aws/nitrotpm impl.
A separate commit will add the actual attestation logic.
2023-06-09 15:41:02 +02:00
Moritz Sanft
72e168e653
bazel: pseudo version tool freshness check (#1869)
* switch to darwin compatible shasum

* add bazel rule

* update shellscript for in-place updates

* Revert "update shellscript for in-place updates"

This reverts commit 87d39b06f7.

* add version tool freshness check

* remove pseudo-version file

* revert to `sha256sum`

* fix workflow indentation
2023-06-09 11:50:51 +02:00