name: e2e test weekly on: workflow_dispatch: schedule: - cron: "0 3 * * 6" # At 03:00 on Saturday. jobs: find-latest-image: strategy: fail-fast: false matrix: refStream: ["ref/main/stream/nightly/?","ref/main/stream/debug/?", "ref/release/stream/stable/?"] name: Find latest image runs-on: ubuntu-22.04 permissions: id-token: write contents: read outputs: image-main-debug: ${{ steps.relabel-output.outputs.image-main-debug }} image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }} image-main-nightly: ${{ steps.relabel-output.outputs.image-main-nightly }} steps: - name: Checkout uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Select relevant image id: select-image-action uses: ./.github/actions/select_image with: osImage: ${{ matrix.refStream }} - name: Relabel output id: relabel-output shell: bash run: | ref=$(echo ${{ matrix.refStream }} | cut -d/ -f2) stream=$(echo ${{ matrix.refStream }} | cut -d/ -f4) echo "image-$ref-$stream=${{ steps.select-image-action.outputs.osImage }}" | tee -a "$GITHUB_OUTPUT" e2e-weekly: strategy: fail-fast: false max-parallel: 4 matrix: include: # # Tests on main-debug refStream # # Sonobuoy full test on latest k8s version - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-tdx" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "sonobuoy full" refStream: "ref/main/stream/debug/?" attestationVariant: "aws-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" # Sonobuoy quick test on all but the latest k8s versions - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-es" kubernetes-version: "v1.28" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-snp" kubernetes-version: "v1.28" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-sev-snp" kubernetes-version: "v1.28" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-tdx" kubernetes-version: "v1.28" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "aws-sev-snp" kubernetes-version: "v1.28" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-es" kubernetes-version: "v1.27" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-snp" kubernetes-version: "v1.27" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-sev-snp" kubernetes-version: "v1.27" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-tdx" kubernetes-version: "v1.27" clusterCreation: "cli" - test: "sonobuoy quick" refStream: "ref/main/stream/debug/?" attestationVariant: "aws-sev-snp" kubernetes-version: "v1.27" clusterCreation: "cli" # verify test on latest k8s version - test: "verify" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "verify" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "verify" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" azureSNPEnforcementPolicy: "equal" # This run checks for unknown ID Key disgests. clusterCreation: "cli" - test: "verify" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-tdx" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "verify" attestationVariant: "aws-sev-snp" refStream: "ref/main/stream/debug/?" kubernetes-version: "v1.29" clusterCreation: "cli" # recover test on latest k8s version - test: "recover" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "recover" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "recover" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "recover" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-tdx" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "recover" refStream: "ref/main/stream/debug/?" attestationVariant: "aws-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" # lb test on latest k8s version - test: "lb" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "lb" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "lb" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "lb" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-tdx" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "lb" refStream: "ref/main/stream/debug/?" attestationVariant: "aws-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" # autoscaling test on latest k8s version - test: "autoscaling" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "autoscaling" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "autoscaling" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "autoscaling" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-tdx" kubernetes-version: "v1.29" clusterCreation: "cli" - test: "autoscaling" refStream: "ref/main/stream/debug/?" attestationVariant: "aws-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" # perf-bench test on latest k8s version, not supported on AWS - test: "perf-bench" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" clusterCreation: "cli" # Not yet supported on gcp-sev-snp #- test: "perf-bench" # refStream: "ref/main/stream/debug/?" # attestationVariant: "gcp-sev-snp" # kubernetes-version: "v1.29" # clusterCreation: "cli" - test: "perf-bench" refStream: "ref/main/stream/debug/?" attestationVariant: "azure-sev-snp" kubernetes-version: "v1.29" clusterCreation: "cli" # TODO: check what needs to be done for perf-bench on Azure TDX #- test: "perf-bench" # refStream: "ref/main/stream/debug/?" # attestationVariant: "azure-tdx" # kubernetes-version: "v1.29" # clusterCreation: "cli" # s3proxy test on latest k8s version - test: "s3proxy" refStream: "ref/main/stream/debug/?" attestationVariant: "gcp-sev-es" kubernetes-version: "v1.29" clusterCreation: "cli" # # Tests on release-stable refStream # # verify test on default k8s version - test: "verify" refStream: "ref/release/stream/stable/?" attestationVariant: "gcp-sev-es" kubernetes-version: "v1.28" clusterCreation: "cli" # TODO(msanft): Enable once stable GCP SEV-SNP images exist. # - test: "verify" # refStream: "ref/release/stream/stable/?" # attestationVariant: "gcp-sev-snp" # kubernetes-version: "v1.28" # clusterCreation: "cli" - test: "verify" refStream: "ref/release/stream/stable/?" attestationVariant: "azure-sev-snp" kubernetes-version: "v1.28" clusterCreation: "cli" - test: "verify" refStream: "ref/release/stream/stable/?" attestationVariant: "azure-tdx" kubernetes-version: "v1.28" clusterCreation: "cli" - test: "verify" refStream: "ref/release/stream/stable/?" attestationVariant: "aws-sev-snp" kubernetes-version: "v1.28" clusterCreation: "cli" runs-on: ubuntu-22.04 permissions: id-token: write checks: write contents: read packages: write actions: write needs: [find-latest-image] steps: - name: Check out repository uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Split attestationVariant id: split-attestationVariant shell: bash run: | attestationVariant="${{ matrix.attestationVariant }}" cloudProvider="${attestationVariant%%-*}" echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT" - name: Run E2E test id: e2e_test uses: ./.github/actions/e2e_test with: workerNodesCount: "2" controlNodesCount: "3" cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} attestationVariant: ${{ matrix.attestationVariant }} osImage: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || needs.find-latest-image.outputs.image-main-debug }} isDebugImage: ${{ matrix.refStream == 'ref/main/stream/debug/?' }} cliVersion: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || '' }} kubernetesVersion: ${{ matrix.kubernetes-version }} refStream: ${{ matrix.refStream }} awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }} awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} gcpProject: constellation-e2e gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com" gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com" test: ${{ matrix.test }} azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} registry: ghcr.io githubToken: ${{ secrets.GITHUB_TOKEN }} cosignPassword: ${{ secrets.COSIGN_PASSWORD }} cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }} fetchMeasurements: ${{ matrix.refStream != 'ref/release/stream/stable/?' }} azureSNPEnforcementPolicy: ${{ matrix.azureSNPEnforcementPolicy }} clusterCreation: ${{ matrix.clusterCreation }} s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }} s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Always terminate cluster if: always() uses: ./.github/actions/constellation_destroy with: kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} clusterCreation: ${{ matrix.clusterCreation }} cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }} gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com" - name: Always delete IAM configuration if: always() uses: ./.github/actions/constellation_iam_destroy with: cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com" - name: Update tfstate if: always() env: GH_TOKEN: ${{ github.token }} uses: ./.github/actions/update_tfstate with: name: terraform-state-${{ steps.e2e_test.outputs.namePrefix }} runID: ${{ github.run_id }} encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }} - name: Notify about failure if: | failure() && github.ref == 'refs/heads/main' && github.event_name == 'schedule' continue-on-error: true uses: ./.github/actions/notify_e2e_failure with: projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }} refStream: ${{ matrix.refStream }} test: ${{ matrix.test }} kubernetesVersion: ${{ matrix.kubernetes-version }} provider: ${{ steps.split-attestationVariant.outputs.cloudProvider }} attestationVariant: ${{ matrix.attestationVariant }} clusterCreation: ${{ matrix.clusterCreation }} e2e-upgrade: strategy: fail-fast: false max-parallel: 1 matrix: fromVersion: ["v2.16.2"] attestationVariant: ["gcp-sev-es", "azure-sev-snp", "azure-tdx", "aws-sev-snp"] name: Run upgrade tests secrets: inherit permissions: id-token: write checks: write contents: read packages: write actions: write uses: ./.github/workflows/e2e-upgrade.yml with: fromVersion: ${{ matrix.fromVersion }} attestationVariant: ${{ matrix.attestationVariant }} nodeCount: '3:2' scheduled: ${{ github.event_name == 'schedule' }} e2e-mini: name: Run miniconstellation E2E test runs-on: ubuntu-22.04 environment: e2e permissions: id-token: write contents: read packages: write steps: - name: Checkout id: checkout uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: Azure login OIDC uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 with: client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Run e2e MiniConstellation uses: ./.github/actions/e2e_mini with: azureClientID: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }} azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} azureTenantID: ${{ secrets.AZURE_TENANT_ID }} azureIAMCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} registry: ghcr.io githubToken: ${{ secrets.GITHUB_TOKEN }} - name: Notify about failure if: | failure() && github.ref == 'refs/heads/main' && github.event_name == 'schedule' continue-on-error: true uses: ./.github/actions/notify_e2e_failure with: projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }} test: "MiniConstellation" provider: "QEMU" attestationVariant: "qemu-vtpm" e2e-windows: name: Run Windows E2E test permissions: id-token: write contents: read packages: write checks: write secrets: inherit uses: ./.github/workflows/e2e-windows.yml with: scheduled: ${{ github.event_name == 'schedule' }} e2e-terraform-provider-example: name: Run Terraform provider example E2E test strategy: fail-fast: false matrix: attestationVariant: ["gcp-sev-es", "azure-sev-snp", "azure-tdx", "aws-sev-snp"] permissions: id-token: write contents: read packages: write secrets: inherit uses: ./.github/workflows/e2e-test-provider-example.yml with: attestationVariant: ${{ matrix.attestationVariant }}