/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
// add-version adds a new constellation release version to the list of available versions.
// It is meant to be run by the CI pipeline to make new versions available / discoverable.
package main
import (
"bytes"
"context"
"encoding/json"
"errors"
"flag"
"fmt"
"path"
"time"
"github.com/aws/aws-sdk-go-v2/aws"
awsconfig "github.com/aws/aws-sdk-go-v2/config"
s3manager "github.com/aws/aws-sdk-go-v2/feature/s3/manager"
"github.com/aws/aws-sdk-go-v2/service/cloudfront"
cftypes "github.com/aws/aws-sdk-go-v2/service/cloudfront/types"
"github.com/aws/aws-sdk-go-v2/service/s3"
s3types "github.com/aws/aws-sdk-go-v2/service/s3/types"
"github.com/edgelesssys/constellation/v2/internal/constants"
"github.com/edgelesssys/constellation/v2/internal/logger"
"github.com/edgelesssys/constellation/v2/internal/versionsapi"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
"golang.org/x/mod/semver"
)
var errVersionListMissing = errors.New("version list does not exist")
const (
skipRefStr = "-"
imageKind = "image"
defaultRegion = "eu-central-1"
defaultBucket = "cdn-constellation-backend"
defaultDistributionID = "E1H77EZTHC3NE4"
maxCacheInvalidationWaitTime = 5 * time.Minute
)
func main() {
log := logger.New(logger.JSONLog, zapcore.InfoLevel)
ctx := context.Background()
flags := flags{
version: flag.String("version", "", "Version to add (format: \"v1.2.3\")"),
stream: flag.String("stream", "", "Stream to add the version to"),
ref: flag.String("ref", "", "Ref to add the version to"),
release: flag.Bool("release", false, "Whether the version is a release"),
latest: flag.Bool("latest", false, "Whether to set this version as the new latest version"),
dryRun: flag.Bool("dryrun", false, "Whether to run in dry-run mode (no changes are made)"),
region: flag.String("region", defaultRegion, "AWS region"),
bucket: flag.String("bucket", defaultBucket, "S3 bucket"),
distributionID: flag.String("distribution-id", defaultDistributionID, "cloudfront distribution id"),
}
flag.Parse()
if err := flags.validate(); err != nil {
log.With(zap.Error(err)).Fatalf("Invalid flags")
}
updateFetcher := versionsapi.New()
versionManager, err := newVersionManager(ctx, *flags.region, *flags.bucket, *flags.distributionID, *flags.dryRun, log)
if err != nil {
log.With(zap.Error(err)).Fatalf("Failed to create version uploader")
}
ver := version{
versionStr: *flags.version,
stream: *flags.stream,
ref: *flags.ref,
}
if err := ensureMinorVersion(ctx, versionManager, ver, log); err != nil {
log.With(zap.Error(err)).Fatalf("Failed to ensure minor version")
}
added, err := ensurePatchVersion(ctx, versionManager, ver, log)
if err != nil {
log.With(zap.Error(err)).Fatalf("Failed to ensure patch version")
}
if added && *flags.latest {
if err := versionManager.addLatest(ctx, ver); err != nil {
log.With(zap.Error(err)).Fatalf("Failed to update latest version object")
}
log.Infof("Added %q as latest version.", ver)
}
log.Infof("Major to minor url: %s", ver.URL(granularityMajor))
log.Infof("Minor to patch url: %s", ver.URL(granularityMinor))
if !versionManager.dirty {
log.Infof("No changes made, everything up to date.")
return
}
log.Infof("Successfully added version %q", *flags.version)
log.Infof("Waiting for cache invalidation.")
if err := versionManager.invalidateCaches(ctx, ver, *flags.latest); err != nil {
log.With(zap.Error(err)).Fatalf("Failed to invalidate caches")
}
waitForCacheUpdate(ctx, updateFetcher, ver, log)
}
func ensureMinorVersion(ctx context.Context, versionManager *versionManager, ver version, log *logger.Logger) error {
minorVerList, err := versionManager.getVersionList(ctx, ver, granularityMajor)
log.Debugf("Minor version list: %v", minorVerList)
if errors.Is(err, errVersionListMissing) {
log.Infof("Version list for minor versions under %q does not exist. Creating new list.", ver.Major())
minorVerList = &versionsapi.List{
Ref: ver.Ref(),
Stream: ver.Stream(),
Granularity: "major",
Base: ver.Major(),
Kind: imageKind,
Versions: []string{},
}
} else if err != nil {
return fmt.Errorf("failed to list minor versions: %w", err)
}
if minorVerList.Contains(ver.MajorMinor()) {
log.Infof("Version %q already exists in list %v.", ver.MajorMinor(), minorVerList.Versions)
return nil
}
minorVerList.Versions = append(minorVerList.Versions, ver.MajorMinor())
log.Debugf("New minor version list: %v", minorVerList)
if err := versionManager.updateVersionList(ctx, minorVerList); err != nil {
return fmt.Errorf("failed to add minor version: %w", err)
}
log.Infof("Added %q to list.", ver.MajorMinor())
return nil
}
func ensurePatchVersion(ctx context.Context, versionManager *versionManager, ver version, log *logger.Logger) (bool, error) {
pathVerList, err := versionManager.getVersionList(ctx, ver, granularityMinor)
if errors.Is(err, errVersionListMissing) {
log.Infof("Version list for patch versions under %q does not exist. Creating new list.", ver.MajorMinor())
pathVerList = &versionsapi.List{
Ref: ver.Ref(),
Stream: ver.Stream(),
Granularity: "minor",
Base: ver.MajorMinor(),
Kind: imageKind,
Versions: []string{},
}
} else if err != nil {
return false, fmt.Errorf("failed to get patch versions: %w", err)
}
if pathVerList.Contains(ver.String()) {
log.Infof("Version %q already exists in list %v.", ver.String(), pathVerList.Versions)
return false, nil
}
pathVerList.Versions = append(pathVerList.Versions, ver.String())
if err := versionManager.updateVersionList(ctx, pathVerList); err != nil {
log.With(zap.Error(err)).Fatalf("Failed to add patch version")
}
log.Infof("Added %q to list.", ver.String())
return true, nil
}
type version struct {
versionStr string
stream string
ref string
}
func (v *version) String() string {
return semver.Canonical(v.versionStr)
}
func (v *version) Major() string {
return semver.Major(v.versionStr)
}
func (v *version) MajorMinor() string {
return semver.MajorMinor(v.versionStr)
}
func (v *version) WithGranularity(gran granularity) string {
switch gran {
case granularityMajor:
return v.Major()
case granularityMinor:
return v.MajorMinor()
default:
return ""
}
}
func (v *version) URL(gran granularity) string {
return constants.CDNRepositoryURL + "/" + v.JSONPath(gran)
}
func (v *version) JSONPath(gran granularity) string {
return path.Join(constants.CDNAPIPrefix, "ref", v.ref, "stream", v.stream, "versions", gran.String(), v.WithGranularity(gran), imageKind+".json")
}
func (v *version) Stream() string {
return v.stream
}
func (v *version) Ref() string {
return v.ref
}
type flags struct {
version *string
stream *string
ref *string
release *bool
latest *bool
dryRun *bool
region *string
bucket *string
distributionID *string
}
func (f *flags) validate() error {
if err := validateVersion(*f.version); err != nil {
return err
}
if *f.ref == "" && !*f.release {
if !*f.release {
return fmt.Errorf("branch flag must be set for non-release versions")
}
}
if *f.ref != "" && *f.release {
return fmt.Errorf("branch flag must not be set for release versions")
}
if *f.release {
*f.ref = skipRefStr
} else {
*f.latest = true // always set latest for non-release versions
}
ref := versionsapi.CanonicalRef(*f.ref)
if !versionsapi.IsValidRef(ref) {
return fmt.Errorf("invalid ref %q", *f.ref)
}
*f.ref = ref
if !versionsapi.IsValidStream(*f.ref, *f.stream) {
return fmt.Errorf("invalid stream %q for ref %q", *f.stream, *f.ref)
}
return nil
}
func validateVersion(version string) error {
if !semver.IsValid(version) {
return fmt.Errorf("version %q is not a valid semantic version", version)
}
if semver.Canonical(version) != version {
return fmt.Errorf("version %q is not a canonical semantic version", version)
}
return nil
}
func ensureMinorVersionExists(ctx context.Context, fetcher *versionsapi.Fetcher, ver version) error {
existingMinorVersions, err := fetcher.MinorVersionsOf(ctx, ver.Ref(), ver.Stream(), ver.Major(), imageKind)
if err != nil {
return err
}
if !existingMinorVersions.Contains(ver.MajorMinor()) {
return errors.New("minor version does not exist")
}
return nil
}
func ensurePatchVersionExists(ctx context.Context, fetcher *versionsapi.Fetcher, ver version) error {
existingPatchVersions, err := fetcher.PatchVersionsOf(ctx, ver.Ref(), ver.Stream(), ver.MajorMinor(), imageKind)
if err != nil {
return err
}
if !existingPatchVersions.Contains(ver.String()) {
return errors.New("patch version does not exist")
}
return nil
}
type versionManager struct {
config aws.Config
cloudfrontc *cloudfront.Client
s3c *s3.Client
uploader *s3manager.Uploader
bucket string
distributionID string
dirty bool // manager gets dirty on write
dryRun bool // no write operations
log *logger.Logger
}
func newVersionManager(ctx context.Context, region, bucket, distributionID string, dryRun bool, log *logger.Logger) (*versionManager, error) {
cfg, err := awsconfig.LoadDefaultConfig(ctx, awsconfig.WithRegion(region))
if err != nil {
return nil, err
}
cloudfrontc := cloudfront.NewFromConfig(cfg)
s3c := s3.NewFromConfig(cfg)
uploader := s3manager.NewUploader(s3c)
return &versionManager{
config: cfg,
cloudfrontc: cloudfrontc,
s3c: s3c,
uploader: uploader,
bucket: bucket,
distributionID: distributionID,
dryRun: dryRun,
log: log,
}, nil
}
func (m *versionManager) getVersionList(ctx context.Context, ver version, gran granularity) (*versionsapi.List, error) {
in := &s3.GetObjectInput{
Bucket: aws.String(m.bucket),
Key: aws.String(ver.JSONPath(gran)),
}
out, err := m.s3c.GetObject(ctx, in)
var noSuchkey *s3types.NoSuchKey
if errors.As(err, &noSuchkey) {
return nil, errVersionListMissing
} else if err != nil {
return nil, err
}
defer out.Body.Close()
var list versionsapi.List
if err := json.NewDecoder(out.Body).Decode(&list); err != nil {
return nil, err
}
return &list, nil
}
func (m *versionManager) updateVersionList(ctx context.Context, list *versionsapi.List) error {
semver.Sort(list.Versions)
if err := list.Validate(); err != nil {
return err
}
rawList, err := json.Marshal(list)
if err != nil {
return err
}
in := &s3.PutObjectInput{
Bucket: aws.String(m.bucket),
Key: aws.String(list.JSONPath()),
Body: bytes.NewBuffer(rawList),
}
if m.dryRun {
m.log.Infof("dryRun: s3 put object {Bucket: %v, Key: %v, Body: %v", m.bucket, list.JSONPath(), string(rawList))
return nil
}
m.dirty = true
_, err = m.uploader.Upload(ctx, in)
return err
}
func (m *versionManager) addLatest(ctx context.Context, ver version) error {
latest := &versionsapi.Latest{
Ref: ver.Ref(),
Stream: ver.Stream(),
Kind: imageKind,
Version: ver.String(),
}
if err := latest.Validate(); err != nil {
return err
}
rawLatest, err := json.Marshal(latest)
if err != nil {
return err
}
in := &s3.PutObjectInput{
Bucket: aws.String(m.bucket),
Key: aws.String(latest.JSONPath()),
Body: bytes.NewBuffer(rawLatest),
}
if m.dryRun {
m.log.Infof("dryRun: s3 put object {Bucket: %v, Key: %v, Body: %v", m.bucket, latest.JSONPath(), string(rawLatest))
return nil
}
m.dirty = true
_, err = m.uploader.Upload(ctx, in)
return err
}
func (m *versionManager) invalidateCaches(ctx context.Context, ver version, latest bool) error {
invalidIn := &cloudfront.CreateInvalidationInput{
DistributionId: aws.String(m.distributionID),
InvalidationBatch: &cftypes.InvalidationBatch{
CallerReference: aws.String(fmt.Sprintf("%d", time.Now().Unix())),
Paths: &cftypes.Paths{
Quantity: aws.Int32(2),
Items: []string{
"/" + ver.URL(granularityMajor),
"/" + ver.URL(granularityMinor),
},
},
},
}
if latest {
invalidIn.InvalidationBatch.Paths.Quantity = aws.Int32(3)
path := path.Join("ref", ver.Ref(), "stream", ver.Stream(), "versions/latest/image.json")
invalidIn.InvalidationBatch.Paths.Items = append(invalidIn.InvalidationBatch.Paths.Items, "/"+path)
}
invalidation, err := m.cloudfrontc.CreateInvalidation(ctx, invalidIn)
if err != nil {
return err
}
waiter := cloudfront.NewInvalidationCompletedWaiter(m.cloudfrontc)
waitIn := &cloudfront.GetInvalidationInput{
DistributionId: aws.String(m.distributionID),
Id: invalidation.Invalidation.Id,
}
if err := waiter.Wait(ctx, waitIn, maxCacheInvalidationWaitTime); err != nil {
return err
}
return nil
}
func waitForCacheUpdate(ctx context.Context, updateFetcher *versionsapi.Fetcher, ver version, log *logger.Logger) {
sawAddedVersions := true
if err := ensureMinorVersionExists(ctx, updateFetcher, ver); err != nil {
sawAddedVersions = false
log.Warnf("Failed to ensure minor version exists: %v. This may be resolved by waiting.", err)
}
if err := ensurePatchVersionExists(ctx, updateFetcher, ver); err != nil {
sawAddedVersions = false
log.Warnf("Failed to ensure patch version exists: %v. This may be resolved by waiting.", err)
}
if sawAddedVersions {
log.Infof("Versions are available via API.")
}
}
type granularity int
const (
granularityMajor granularity = iota
granularityMinor
)
func (g granularity) String() string {
switch g {
case granularityMajor:
return "major"
case granularityMinor:
return "minor"
default:
return "unknown"
}
}