name: Constellation create description: Create a new Constellation cluster using latest OS image. inputs: workerNodesCount: description: "Number of worker nodes to spawn." required: true controlNodesCount: description: "Number of control-plane nodes to spawn." required: true cloudProvider: description: "Either 'gcp' or 'azure'." required: true machineType: description: "Machine type of VM to spawn." required: false osImage: description: "OS image to use." required: true isDebugImage: description: "Is OS img a debug img?" required: true kubernetesVersion: description: "Kubernetes version to create the cluster from." required: false artifactNameSuffix: description: "Suffix for artifact naming." required: true keepMeasurements: default: "false" description: "Keep measurements embedded in the CLI." existingConfig: default: "false" description: "Use existing config file." # # GCP specific inputs # gcpProject: description: "The GCP project to deploy Constellation in." required: false gcpInClusterServiceAccountKey: description: "The GCP Service account to use inside the created Constellation cluster." required: false # # Azure specific inputs # azureSubscription: description: "The Azure subscription ID to deploy Constellation in." required: false azureTenant: description: "The Azure tenant ID to deploy Constellation in." required: false azureClientID: description: "The Azure client ID of the application registration created for Constellation." required: false azureClientSecret: description: "The Azure client secret value of the used secret." required: false azureUserAssignedIdentity: description: "The Azure user assigned identity to use for Constellation." required: false azureResourceGroup: description: "The Azure resource group to use for Constellation cluster" required: false outputs: kubeconfig: description: "The kubeconfig for the cluster." value: ${{ steps.constellation-init.outputs.KUBECONFIG }} masterSecret: description: "The master-secret for the cluster." value: ${{ steps.constellation-init.outputs.MASTERSECRET }} osImageUsed: description: "The OS image used in the cluster." value: ${{ steps.setImage.outputs.image }} runs: using: "composite" steps: - name: Constellation config generate shell: bash if: inputs.existingConfig != 'true' run: | if [[ -n "${{ inputs.kubernetesVersion }}" ]]; then constellation config generate ${{ inputs.cloudProvider }} --kubernetes="${{ inputs.kubernetesVersion }}" --debug else constellation config generate ${{ inputs.cloudProvider }} --debug fi yq eval -i "(.name) = \"e2e-test\"" constellation-conf.yaml yq eval -i \ "(.provider | select(. | has(\"azure\")).azure.subscription) = \"${{ inputs.azureSubscription }}\" | (.provider | select(. | has(\"azure\")).azure.tenant) = \"${{ inputs.azureTenant }}\" | (.provider | select(. | has(\"azure\")).azure.location) = \"West US\" | (.provider | select(. | has(\"azure\")).azure.userAssignedIdentity) = \"${{ inputs.azureUserAssignedIdentity }}\" | (.provider | select(. | has(\"azure\")).azure.resourceGroup) = \"${{ inputs.azureResourceGroup }}\" | constellation-conf.yaml yq eval -i \ "(.provider | select(. | has(\"gcp\")).gcp.project) = \"${{ inputs.gcpProject }}\" | (.provider | select(. | has(\"gcp\")).gcp.region) = \"europe-west3\" | (.provider | select(. | has(\"gcp\")).gcp.zone) = \"europe-west3-b\" | (.provider | select(. | has(\"gcp\")).gcp.serviceAccountKeyPath) = \"serviceAccountKey.json\"" \ constellation-conf.yaml yq eval -i \ "(.provider | select(. | has(\"aws\")).aws.region) = \"us-east-2\" | (.provider | select(. | has(\"aws\")).aws.zone) = \"us-east-2c\" | (.provider | select(. | has(\"aws\")).aws.iamProfileControlPlane) = \"e2e_test_control_plane_instance_profile\" | (.provider | select(. | has(\"aws\")).aws.iamProfileWorkerNodes) = \"e2e_test_worker_node_instance_profile\"" \ constellation-conf.yaml if [[ -n "${{ inputs.kubernetesVersion }}" ]]; then yq eval -i "(.kubernetesVersion) = \"${{ inputs.kubernetesVersion }}\"" constellation-conf.yaml fi - name: Remove embedded measurements if: inputs.keepMeasurements == 'false' shell: bash run: | if [[ $(yq '.version' constellation-conf.yaml) == "v2" ]] then yq eval -i \ "(.provider | select(. | has(\"aws\")).aws.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \ constellation-conf.yaml yq eval -i \ "(.provider | select(. | has(\"azure\")).azure.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \ constellation-conf.yaml yq eval -i \ "(.provider | select(. | has(\"gcp\")).gcp.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}"\ constellation-conf.yaml yq eval -i \ "(.provider | select(. | has(\"qemu\")).qemu.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \ constellation-conf.yaml else yq eval -i \ "(.attestation | select(. | has(\"awsNitroTPM\")).awsNitroTPM.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \ constellation-conf.yaml yq eval -i \ "(.attestation | select(. | has(\"awsSEVSNP\")).awsSEVSNP.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \ constellation-conf.yaml yq eval -i \ "(.attestation | select(. | has(\"azureSEVSNP\")).azureSEVSNP.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \ constellation-conf.yaml yq eval -i \ "(.attestation | select(. | has(\"azureTrustedLaunch\")).azureTrustedLaunch.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \ constellation-conf.yaml yq eval -i \ "(.attestation | select(. | has(\"gcpSEVES\")).gcpSEVES.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}"\ constellation-conf.yaml yq eval -i \ "(.attestation | select(. | has(\"qemuVTPM\")).qemuVTPM.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \ constellation-conf.yaml fi - name: Set image id: setImage shell: bash env: imageInput: ${{ inputs.osImage }} run: | if [[ -z "${imageInput}" ]]; then echo "No image specified. Using default image from config." image=$(yq eval ".image" constellation-conf.yaml) echo "image=${image}" | tee -a "$GITHUB_OUTPUT" exit 0 fi yq eval -i "(.image) = \"${imageInput}\"" constellation-conf.yaml echo "image=${imageInput}" | tee -a "$GITHUB_OUTPUT" - name: Set instanceType if: inputs.machineType && inputs.machineType != 'default' shell: bash run: | yq eval -i "(.provider | select(. | has(\"azure\")).azure.instanceType) = \"${{ inputs.machineType }}\"" constellation-conf.yaml yq eval -i "(.provider | select(. | has(\"gcp\")).gcp.instanceType) = \"${{ inputs.machineType }}\"" constellation-conf.yaml yq eval -i "(.provider | select(. | has(\"aws\")).aws.instanceType) = \"${{ inputs.machineType }}\"" constellation-conf.yaml - name: Create serviceAccountKey.json if: inputs.cloudProvider == 'gcp' && !inputs.existingConfig # Skip if using existing config. serviceAccountKey.json is already present in that case. shell: bash env: GCP_CLUSTER_SERVICE_ACCOUNT_KEY: ${{ inputs.gcpInClusterServiceAccountKey }} run: | echo "$GCP_CLUSTER_SERVICE_ACCOUNT_KEY" > serviceAccountKey.json - name: Enable debugCluster flag if: inputs.isDebugImage == 'true' shell: bash run: | yq eval -i '(.debugCluster) = true' constellation-conf.yaml # Uses --force flag since the CLI currently does not have a pre-release version and is always on the latest released version. # However, many of our pipelines work on prerelease images. Thus the used images are newer than the CLI's version. # This makes the version validation in the CLI fail. - name: Constellation create shell: bash run: | echo "Creating cluster using config:" cat constellation-conf.yaml sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts' || true output=$(constellation --help) if [[ $output == *"tf-log"* ]]; then TFFLAG="--tf-log=DEBUG" fi constellation create -c ${{ inputs.controlNodesCount }} -w ${{ inputs.workerNodesCount }} -y --force --debug ${TFFLAG:-} - name: Cdbg deploy if: inputs.isDebugImage == 'true' shell: bash run: | echo "::group::cdbg deploy" chmod +x $GITHUB_WORKSPACE/build/cdbg cdbg deploy \ --bootstrapper "${{ github.workspace }}/build/bootstrapper" \ --upgrade-agent "${{ github.workspace }}/build/upgrade-agent" \ --info logcollect=true \ --info logcollect.github.actor="${{ github.triggering_actor }}" \ --info logcollect.github.workflow="${{ github.workflow }}" \ --info logcollect.github.run-id="${{ github.run_id }}" \ --info logcollect.github.run-attempt="${{ github.run_attempt }}" \ --info logcollect.github.ref-name="${{ github.ref_name }}" \ --info logcollect.github.sha="${{ github.sha }}" \ --info logcollect.github.runner-os="${{ runner.os }}" \ --verbosity=-1 \ --force echo "::endgroup::" - name: Constellation init id: constellation-init shell: bash run: | constellation init --force --debug echo "KUBECONFIG=$(pwd)/constellation-admin.conf" >> $GITHUB_OUTPUT echo "MASTERSECRET=$(pwd)/constellation-mastersecret.json" >> $GITHUB_OUTPUT - name: Wait for nodes to join and become ready shell: bash env: KUBECONFIG: "${{ steps.constellation-init.outputs.KUBECONFIG }}" JOINTIMEOUT: "1200" # 20 minutes timeout for all nodes to join run: | echo "::group::Wait for nodes" NODES_COUNT=$((${{ inputs.controlNodesCount }} + ${{ inputs.workerNodesCount }})) JOINWAIT=0 until [[ "$(kubectl get nodes -o json | jq '.items | length')" == "${NODES_COUNT}" ]] || [[ $JOINWAIT -gt $JOINTIMEOUT ]]; do echo "$(kubectl get nodes -o json | jq '.items | length')/"${NODES_COUNT}" nodes have joined.. waiting.." JOINWAIT=$((JOINWAIT+30)) sleep 30 done if [[ $JOINWAIT -gt $JOINTIMEOUT ]]; then echo "Timed out waiting for nodes to join" exit 1 fi echo "$(kubectl get nodes -o json | jq '.items | length')/"${NODES_COUNT}" nodes have joined" if ! kubectl wait --for=condition=ready --all nodes --timeout=20m; then kubectl get pods -n kube-system kubectl get events -n kube-system echo "::error::kubectl wait timed out before all nodes became ready" echo "::endgroup::" exit 1 fi echo "::endgroup::" - name: Download boot logs if: always() continue-on-error: true shell: bash env: CSP: ${{ inputs.cloudProvider }} run: | echo "::group::Download boot logs" case $CSP in azure) AZURE_RESOURCE_GROUP=$(yq eval ".provider.azure.resourceGroup" constellation-conf.yaml) ./.github/actions/constellation_create/az-logs.sh ${AZURE_RESOURCE_GROUP} ;; gcp) ./.github/actions/constellation_create/gcp-logs.sh ;; aws) ./.github/actions/constellation_create/aws-logs.sh us-east-2 ;; esac echo "::endgroup::" - name: Upload boot logs if: always() && !env.ACT continue-on-error: true uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: serial-logs-${{ inputs.artifactNameSuffix }} path: "*.log"