mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
0a28cdecb2
* malicious node join test Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add e2e build tag Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add namespaces to job apply Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix image and workflow Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix linter checks Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * build instructions in Dockerfile Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * only print important flags Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use `malicious-join` namespace Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * build with bazel Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * order imports Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * test cases Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * various fixes Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add missing quotes Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix typo Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * Update e2e/malicious-join/malicious-join.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update e2e/malicious-join/malicious-join.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * use switch case Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * update image version Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix linter checks Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * wip Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * various fixes Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * update buildfiles Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use workdir Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix linter Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add required permissions Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove permissions Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove packages: write permission at step Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * login to registry Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix typo Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix log Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * source base lib Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix sourcing order Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * export after definition Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix script header Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * dont exit after -e flag has been set Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --------- Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
337 lines
13 KiB
YAML
337 lines
13 KiB
YAML
name: e2e meta test
|
|
description: "This test does the infrastructure management and runs the e2e test of your choice."
|
|
|
|
inputs:
|
|
workerNodesCount:
|
|
description: "Number of worker nodes to spawn."
|
|
default: "2"
|
|
controlNodesCount:
|
|
description: "Number of control-plane nodes to spawn."
|
|
default: "3"
|
|
cloudProvider:
|
|
description: "Which cloud provider to use."
|
|
required: true
|
|
machineType:
|
|
description: "VM machine type. Make sure it matches selected cloud provider!"
|
|
osImage:
|
|
description: "OS image to run."
|
|
required: true
|
|
isDebugImage:
|
|
description: "Is OS img a debug img?"
|
|
required: true
|
|
cliVersion:
|
|
description: "Version of a released CLI to download, e.g. 'v2.3.0', leave empty to build it."
|
|
kubernetesVersion:
|
|
description: "Kubernetes version to create the cluster from."
|
|
regionZone:
|
|
description: "Region or zone to use for resource creation"
|
|
required: false
|
|
gcpProject:
|
|
description: "The GCP project to deploy Constellation in."
|
|
required: true
|
|
gcpIAMCreateServiceAccount:
|
|
description: "Service account with permissions to create IAM configuration on GCP."
|
|
required: true
|
|
gcpClusterCreateServiceAccount:
|
|
description: "Service account with permissions to create a Constellation cluster on GCP."
|
|
required: true
|
|
gcpInClusterServiceAccountKey:
|
|
description: "Service account to use inside the created Constellation cluster on GCP."
|
|
required: true
|
|
awsOpenSearchDomain:
|
|
description: "AWS OpenSearch Endpoint Domain to upload the benchmark results."
|
|
awsOpenSearchUsers:
|
|
description: "AWS OpenSearch User to upload the benchmark results."
|
|
awsOpenSearchPwd:
|
|
description: "AWS OpenSearch Password to upload the benchmark results."
|
|
azureClusterCreateCredentials:
|
|
description: "Azure credentials authorized to create a Constellation cluster."
|
|
required: true
|
|
azureIAMCreateCredentials:
|
|
description: "Azure credentials authorized to create an IAM configuration."
|
|
required: true
|
|
test:
|
|
description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, autoscaling, lb, perf-bench, verify, recover, malicious join, nop]."
|
|
required: true
|
|
sonobuoyTestSuiteCmd:
|
|
description: "The sonobuoy test suite to run."
|
|
buildBuddyApiKey:
|
|
description: "BuildBuddy API key for caching Bazel artifacts"
|
|
registry:
|
|
description: "Container registry to use"
|
|
required: true
|
|
githubToken:
|
|
description: "GitHub authorization token"
|
|
required: true
|
|
cosignPassword:
|
|
description: "The password for the cosign private key. Used for uploading to the config API"
|
|
cosignPrivateKey:
|
|
description: "The cosign private key. Used for uploading to the config API"
|
|
fetchMeasurements:
|
|
description: "Update measurements via the 'constellation config fetch-measurements' command."
|
|
default: "false"
|
|
azureSNPEnforcementPolicy:
|
|
description: "Enable security policy for the cluster."
|
|
|
|
outputs:
|
|
kubeconfig:
|
|
description: "The kubeconfig for the cluster."
|
|
value: ${{ steps.constellation-create.outputs.kubeconfig }}
|
|
namePrefix:
|
|
description: "The name prefix of the cloud resources used in the e2e test."
|
|
value: ${{ steps.create-prefix.outputs.prefix }}
|
|
|
|
runs:
|
|
using: "composite"
|
|
steps:
|
|
- name: Check input
|
|
if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "nop"]'), inputs.test))
|
|
shell: bash
|
|
run: |
|
|
echo "::error::Invalid input for test field: ${{ inputs.test }}"
|
|
exit 1
|
|
|
|
# Perf-bench's network benchmarks require at least two distinct worker nodes.
|
|
- name: Validate perf-bench inputs
|
|
if: inputs.test == 'perf-bench'
|
|
shell: bash
|
|
run: |
|
|
if [[ "${{ inputs.workerNodesCount }}" -lt 2 ]]; then
|
|
echo "::error::Test Perf-Bench requires at least 2 worker nodes."
|
|
exit 1
|
|
fi
|
|
|
|
- name: Validate verify input
|
|
if: inputs.test == 'verify'
|
|
shell: bash
|
|
run: |
|
|
if [[ "${{ inputs.cosignPassword }}" == '' || "${{ inputs.cosignPrivateKey }}" == '' ]]; then
|
|
echo "::error::e2e test verify requires cosignPassword and cosignPrivateKey to be set."
|
|
exit 1
|
|
fi
|
|
|
|
- name: Determine build target
|
|
id: determine-build-target
|
|
shell: bash
|
|
run: |
|
|
echo "hostOS=$(go env GOOS)" | tee -a "$GITHUB_OUTPUT"
|
|
echo "hostArch=$(go env GOARCH)" | tee -a "$GITHUB_OUTPUT"
|
|
|
|
- name: Setup bazel
|
|
uses: ./.github/actions/setup_bazel
|
|
with:
|
|
useCache: ${{ inputs.buildBuddyApiKey != '' }}
|
|
buildBuddyApiKey: ${{ inputs.buildBuddyApiKey }}
|
|
|
|
- name: Log in to the Container registry
|
|
uses: ./.github/actions/container_registry_login
|
|
with:
|
|
registry: ${{ inputs.registry }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ inputs.githubToken }}
|
|
|
|
- name: Build CLI
|
|
if: inputs.cliVersion == ''
|
|
uses: ./.github/actions/build_cli
|
|
with:
|
|
targetOS: ${{ steps.determine-build-target.outputs.hostOS }}
|
|
targetArch: ${{ steps.determine-build-target.outputs.hostArch }}
|
|
enterpriseCLI: true
|
|
outputPath: "build/constellation"
|
|
push: ${{ inputs.cliVersion == '' }}
|
|
|
|
- name: Download CLI
|
|
if: inputs.cliVersion != ''
|
|
shell: bash
|
|
run: |
|
|
curl -fsSL -o constellation https://github.com/edgelesssys/constellation/releases/download/${{ inputs.cliVersion }}/constellation-linux-amd64
|
|
chmod u+x constellation
|
|
echo "$(pwd)" >> $GITHUB_PATH
|
|
export PATH="$PATH:$(pwd)"
|
|
constellation version
|
|
# Do not spam license server from pipeline
|
|
sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
|
|
|
|
- name: Build the bootstrapper
|
|
id: build-bootstrapper
|
|
if: inputs.isDebugImage == 'true'
|
|
uses: ./.github/actions/build_bootstrapper
|
|
|
|
- name: Build the upgrade-agent
|
|
id: build-upgrade-agent
|
|
if: inputs.isDebugImage == 'true'
|
|
uses: ./.github/actions/build_upgrade_agent
|
|
|
|
- name: Build cdbg
|
|
id: build-cdbg
|
|
if: inputs.isDebugImage == 'true'
|
|
uses: ./.github/actions/build_cdbg
|
|
with:
|
|
targetOS: ${{ steps.determine-build-target.outputs.hostOS }}
|
|
targetArch: ${{ steps.determine-build-target.outputs.hostArch }}
|
|
|
|
- name: Login to GCP (IAM service account)
|
|
if: inputs.cloudProvider == 'gcp'
|
|
uses: ./.github/actions/login_gcp
|
|
with:
|
|
service_account: ${{ inputs.gcpIAMCreateServiceAccount }}
|
|
|
|
- name: Login to AWS (IAM role)
|
|
if: inputs.cloudProvider == 'aws'
|
|
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
|
|
aws-region: eu-central-1
|
|
# extend token expiry to 6 hours to ensure constellation can terminate
|
|
role-duration-seconds: 21600
|
|
|
|
- name: Login to Azure (IAM service principal)
|
|
if: inputs.cloudProvider == 'azure'
|
|
uses: ./.github/actions/login_azure
|
|
with:
|
|
azure_credentials: ${{ inputs.azureIAMCreateCredentials }}
|
|
|
|
- name: Create prefix
|
|
id: create-prefix
|
|
shell: bash
|
|
run: |
|
|
uuid=$(uuidgen | tr "[:upper:]" "[:lower:]")
|
|
uuid=${uuid%%-*}
|
|
echo "uuid=${uuid}" | tee -a $GITHUB_OUTPUT
|
|
echo "prefix=e2e-${{ github.run_id }}-${{ github.run_attempt }}-${uuid}" | tee -a $GITHUB_OUTPUT
|
|
|
|
- name: Create IAM configuration
|
|
id: constellation-iam-create
|
|
uses: ./.github/actions/constellation_iam_create
|
|
with:
|
|
cloudProvider: ${{ inputs.cloudProvider }}
|
|
namePrefix: ${{ steps.create-prefix.outputs.prefix }}
|
|
awsZone: ${{ inputs.regionZone || 'us-east-2c' }}
|
|
azureRegion: ${{ inputs.regionZone || 'northeurope' }}
|
|
gcpProjectID: ${{ inputs.gcpProject }}
|
|
gcpZone: ${{ inputs.regionZone || 'europe-west3-b' }}
|
|
kubernetesVersion: ${{ inputs.kubernetesVersion }}
|
|
|
|
- name: Login to GCP (Cluster service account)
|
|
if: inputs.cloudProvider == 'gcp'
|
|
uses: ./.github/actions/login_gcp
|
|
with:
|
|
service_account: ${{ inputs.gcpClusterCreateServiceAccount }}
|
|
|
|
- name: Login to AWS (Cluster role)
|
|
if: inputs.cloudProvider == 'aws'
|
|
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
|
|
aws-region: eu-central-1
|
|
# extend token expiry to 6 hours to ensure constellation can terminate
|
|
role-duration-seconds: 21600
|
|
|
|
- name: Login to Azure (Cluster service principal)
|
|
if: inputs.cloudProvider == 'azure'
|
|
uses: ./.github/actions/login_azure
|
|
with:
|
|
azure_credentials: ${{ inputs.azureClusterCreateCredentials }}
|
|
|
|
- name: Create cluster
|
|
id: constellation-create
|
|
uses: ./.github/actions/constellation_create
|
|
with:
|
|
cloudProvider: ${{ inputs.cloudProvider }}
|
|
workerNodesCount: ${{ inputs.workerNodesCount }}
|
|
controlNodesCount: ${{ inputs.controlNodesCount }}
|
|
machineType: ${{ inputs.machineType }}
|
|
osImage: ${{ inputs.osImage }}
|
|
isDebugImage: ${{ inputs.isDebugImage }}
|
|
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
|
|
fetchMeasurements: ${{ inputs.fetchMeasurements }}
|
|
cliVersion: ${{ inputs.cliVersion }}
|
|
azureSNPEnforcementPolicy: ${{ inputs.azureSNPEnforcementPolicy }}
|
|
|
|
- name: Deploy logcollection
|
|
id: deploy-logcollection
|
|
# TODO(msanft):temporarily deploy in debug clusters too to resolve "missing logs"-bug
|
|
# see https://dev.azure.com/Edgeless/Edgeless/_workitems/edit/3227
|
|
# if: inputs.isDebugImage == 'false'
|
|
uses: ./.github/actions/deploy_logcollection
|
|
with:
|
|
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
|
opensearchUser: ${{ inputs.awsOpenSearchUsers }}
|
|
opensearchPwd: ${{ inputs.awsOpenSearchPwd }}
|
|
test: ${{ inputs.test }}
|
|
provider: ${{ inputs.cloudProvider }}
|
|
isDebugImage: ${{ inputs.isDebugImage }}
|
|
|
|
#
|
|
# Test payloads
|
|
#
|
|
- name: Nop test payload
|
|
if: inputs.test == 'nop'
|
|
shell: bash
|
|
run: echo "::warning::This test has a nop payload. It doesn't run any tests."
|
|
|
|
- name: Run sonobuoy quick test
|
|
if: inputs.test == 'sonobuoy quick'
|
|
uses: ./.github/actions/e2e_sonobuoy
|
|
with:
|
|
sonobuoyTestSuiteCmd: "--mode quick"
|
|
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
|
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
|
|
|
|
- name: Run sonobuoy full test
|
|
if: inputs.test == 'sonobuoy full'
|
|
uses: ./.github/actions/e2e_sonobuoy
|
|
with:
|
|
# TODO(3u13r): Remove E2E_SKIP once AB#2174 is resolved
|
|
sonobuoyTestSuiteCmd: '--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml'
|
|
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
|
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
|
|
|
|
- name: Run autoscaling test
|
|
if: inputs.test == 'autoscaling'
|
|
uses: ./.github/actions/e2e_autoscaling
|
|
with:
|
|
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
|
|
|
- name: Run lb test
|
|
if: inputs.test == 'lb'
|
|
uses: ./.github/actions/e2e_lb
|
|
with:
|
|
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
|
|
|
- name: Run Performance Benchmark
|
|
if: inputs.test == 'perf-bench'
|
|
uses: ./.github/actions/e2e_benchmark
|
|
with:
|
|
cloudProvider: ${{ inputs.cloudProvider }}
|
|
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
|
awsOpenSearchDomain: ${{ inputs.awsOpenSearchDomain }}
|
|
awsOpenSearchUsers: ${{ inputs.awsOpenSearchUsers }}
|
|
awsOpenSearchPwd: ${{ inputs.awsOpenSearchPwd }}
|
|
|
|
- name: Run constellation verify test
|
|
if: inputs.test == 'verify'
|
|
uses: ./.github/actions/e2e_verify
|
|
with:
|
|
cloudProvider: ${{ inputs.cloudProvider }}
|
|
osImage: ${{ steps.constellation-create.outputs.osImageUsed }}
|
|
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
|
cosignPassword: ${{ inputs.cosignPassword }}
|
|
cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
|
|
|
|
- name: Run recover test
|
|
if: inputs.test == 'recover'
|
|
uses: ./.github/actions/e2e_recover
|
|
with:
|
|
controlNodesCount: ${{ inputs.controlNodesCount }}
|
|
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
|
masterSecret: ${{ steps.constellation-create.outputs.masterSecret }}
|
|
|
|
- name: Run malicious join test
|
|
if: inputs.test == 'malicious join'
|
|
uses: ./.github/actions/e2e_malicious_join
|
|
with:
|
|
cloudProvider: ${{ inputs.cloudProvider }}
|
|
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
|
githubToken: ${{ inputs.githubToken }}
|