mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-22 05:11:23 -05:00
60bf770e62
* refactor `debugd` file structure * create `hack`-tool to deploy logcollection to non-debug clusters * integrate changes into CI * update fields * update workflow input names * use `working-directory` * add opensearch creds to upgrade workflow * make template func generic * make templating func generic * linebreaks * remove magic defaults * move `os.Exit` to main package * make logging index configurable * make templating generic * remove excess brace * update fields * copy fields * fix flag name * fix linter warnings Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> * remove unused workflow inputs * remove makefiles * fix command * bazel: fix output paths of container This fixes the output paths of builds within the container by mounting directories to paths that exist on the host. We also explicitly set the output path in a .bazelrc to the user specific path. The rc file is mounted into the container and overrides the host rc. Also adding automatic stop in case start is called and a containers is already running. Sym links like bazel-out and paths bazel outputs should generally work with this change. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> * tabs -> spaces --------- Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
213 lines
7.7 KiB
YAML
213 lines
7.7 KiB
YAML
name: Constellation create
|
|
description: Create a new Constellation cluster using latest OS image.
|
|
|
|
inputs:
|
|
workerNodesCount:
|
|
description: "Number of worker nodes to spawn."
|
|
required: true
|
|
controlNodesCount:
|
|
description: "Number of control-plane nodes to spawn."
|
|
required: true
|
|
cloudProvider:
|
|
description: "Either 'gcp', 'aws' or 'azure'."
|
|
required: true
|
|
machineType:
|
|
description: "Machine type of VM to spawn."
|
|
required: false
|
|
cliVersion:
|
|
description: "Version of the CLI"
|
|
required: true
|
|
osImage:
|
|
description: "OS image to use."
|
|
required: true
|
|
isDebugImage:
|
|
description: "Is OS img a debug img?"
|
|
required: true
|
|
kubernetesVersion:
|
|
description: "Kubernetes version to create the cluster from."
|
|
required: false
|
|
artifactNameSuffix:
|
|
description: "Suffix for artifact naming."
|
|
required: true
|
|
fetchMeasurements:
|
|
default: "false"
|
|
description: "Update measurements via the 'constellation config fetch-measurements' command."
|
|
azureSNPEnforcementPolicy:
|
|
required: false
|
|
description: "Azure SNP enforcement policy."
|
|
test:
|
|
description: "The e2e test payload."
|
|
required: true
|
|
|
|
outputs:
|
|
kubeconfig:
|
|
description: "The kubeconfig for the cluster."
|
|
value: ${{ steps.constellation-init.outputs.KUBECONFIG }}
|
|
osImageUsed:
|
|
description: "The OS image used in the cluster."
|
|
value: ${{ steps.setImage.outputs.image }}
|
|
|
|
runs:
|
|
using: "composite"
|
|
steps:
|
|
- name: Set constellation name
|
|
shell: bash
|
|
run: |
|
|
yq eval -i "(.name) = \"e2e-test\"" constellation-conf.yaml
|
|
|
|
- name: Set Azure SNP enforcement policy
|
|
if: inputs.azureSNPEnforcementPolicy != ''
|
|
shell: bash
|
|
run: |
|
|
if [[ ${{ inputs.cloudProvider }} != 'azure' ]]; then
|
|
echo "SNP enforcement policy is only supported for Azure"
|
|
exit 1
|
|
fi
|
|
yq eval -i "(.attestation.azureSEVSNP.firmwareSignerConfig.enforcementPolicy) \
|
|
= \"${{ inputs.azureSNPEnforcementPolicy }}\"" constellation-conf.yaml
|
|
|
|
- name: Set image
|
|
id: setImage
|
|
shell: bash
|
|
env:
|
|
imageInput: ${{ inputs.osImage }}
|
|
run: |
|
|
if [[ -z "${imageInput}" ]]; then
|
|
echo "No image specified. Using default image from config."
|
|
image=$(yq eval ".image" constellation-conf.yaml)
|
|
echo "image=${image}" | tee -a "$GITHUB_OUTPUT"
|
|
exit 0
|
|
fi
|
|
|
|
yq eval -i "(.image) = \"${imageInput}\"" constellation-conf.yaml
|
|
echo "image=${imageInput}" | tee -a "$GITHUB_OUTPUT"
|
|
|
|
- name: Update measurements for non-stable images
|
|
if: inputs.fetchMeasurements
|
|
shell: bash
|
|
run: |
|
|
constellation config fetch-measurements --debug --insecure
|
|
|
|
- name: Set instanceType
|
|
if: inputs.machineType && inputs.machineType != 'default'
|
|
shell: bash
|
|
run: |
|
|
yq eval -i "(.nodeGroups[] | .instanceType) = \"${{ inputs.machineType }}\"" constellation-conf.yaml
|
|
|
|
- name: Set node count
|
|
shell: bash
|
|
run: |
|
|
yq eval -i "(.nodeGroups[] | select(.role == \"control-plane\") | .initialCount) = ${{ inputs.controlNodesCount }}" constellation-conf.yaml
|
|
yq eval -i "(.nodeGroups[] | select(.role == \"worker\") | .initialCount) = ${{ inputs.workerNodesCount }}" constellation-conf.yaml
|
|
|
|
- name: Enable debugCluster flag
|
|
if: inputs.isDebugImage == 'true'
|
|
shell: bash
|
|
run: |
|
|
yq eval -i '(.debugCluster) = true' constellation-conf.yaml
|
|
|
|
# Uses --force flag since the CLI currently does not have a pre-release version and is always on the latest released version.
|
|
# However, many of our pipelines work on prerelease images. Thus the used images are newer than the CLI's version.
|
|
# This makes the version validation in the CLI fail.
|
|
- name: Constellation create
|
|
shell: bash
|
|
run: |
|
|
echo "Creating cluster using config:"
|
|
cat constellation-conf.yaml
|
|
sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts' || true
|
|
constellation create -y --force --debug --tf-log=DEBUG
|
|
|
|
- name: Cdbg deploy
|
|
if: inputs.isDebugImage == 'true'
|
|
shell: bash
|
|
run: |
|
|
echo "::group::cdbg deploy"
|
|
chmod +x $GITHUB_WORKSPACE/build/cdbg
|
|
cdbg deploy \
|
|
--bootstrapper "${{ github.workspace }}/build/bootstrapper" \
|
|
--upgrade-agent "${{ github.workspace }}/build/upgrade-agent" \
|
|
--info logcollect=true \
|
|
--info logcollect.github.actor="${{ github.triggering_actor }}" \
|
|
--info logcollect.github.workflow="${{ github.workflow }}" \
|
|
--info logcollect.github.run-id="${{ github.run_id }}" \
|
|
--info logcollect.github.run-attempt="${{ github.run_attempt }}" \
|
|
--info logcollect.github.ref-name="${{ github.ref_name }}" \
|
|
--info logcollect.github.sha="${{ github.sha }}" \
|
|
--info logcollect.github.runner-os="${{ runner.os }}" \
|
|
--info logcollect.github.e2e-test-payload="${{ inputs.test }}" \
|
|
--info logcollect.github.is-debug-cluster=false \
|
|
--info logcollect.deployment-type="debugd" \
|
|
--verbosity=-1 \
|
|
--force
|
|
echo "::endgroup::"
|
|
|
|
- name: Constellation init
|
|
id: constellation-init
|
|
shell: bash
|
|
run: |
|
|
constellation init --force --debug
|
|
echo "KUBECONFIG=$(pwd)/constellation-admin.conf" | tee -a $GITHUB_OUTPUT
|
|
|
|
- name: Wait for nodes to join and become ready
|
|
shell: bash
|
|
env:
|
|
KUBECONFIG: "${{ steps.constellation-init.outputs.KUBECONFIG }}"
|
|
JOINTIMEOUT: "1200" # 20 minutes timeout for all nodes to join
|
|
run: |
|
|
echo "::group::Wait for nodes"
|
|
NODES_COUNT=$((${{ inputs.controlNodesCount }} + ${{ inputs.workerNodesCount }}))
|
|
JOINWAIT=0
|
|
until [[ "$(kubectl get nodes -o json | jq '.items | length')" == "${NODES_COUNT}" ]] || [[ $JOINWAIT -gt $JOINTIMEOUT ]];
|
|
do
|
|
echo "$(kubectl get nodes -o json | jq '.items | length')/"${NODES_COUNT}" nodes have joined.. waiting.."
|
|
JOINWAIT=$((JOINWAIT+30))
|
|
sleep 30
|
|
done
|
|
if [[ $JOINWAIT -gt $JOINTIMEOUT ]]; then
|
|
echo "Timed out waiting for nodes to join"
|
|
exit 1
|
|
fi
|
|
echo "$(kubectl get nodes -o json | jq '.items | length')/"${NODES_COUNT}" nodes have joined"
|
|
if ! kubectl wait --for=condition=ready --all nodes --timeout=20m; then
|
|
kubectl get pods -n kube-system
|
|
kubectl get events -n kube-system
|
|
echo "::error::kubectl wait timed out before all nodes became ready"
|
|
echo "::endgroup::"
|
|
exit 1
|
|
fi
|
|
echo "::endgroup::"
|
|
|
|
- name: Download boot logs
|
|
if: always()
|
|
continue-on-error: true
|
|
shell: bash
|
|
env:
|
|
CSP: ${{ inputs.cloudProvider }}
|
|
run: |
|
|
echo "::group::Download boot logs"
|
|
CONSTELL_UID=$(yq '.uid' constellation-id.json)
|
|
case $CSP in
|
|
azure)
|
|
AZURE_RESOURCE_GROUP=$(yq eval ".provider.azure.resourceGroup" constellation-conf.yaml)
|
|
./.github/actions/constellation_create/az-logs.sh ${AZURE_RESOURCE_GROUP}
|
|
;;
|
|
gcp)
|
|
GCP_ZONE=$(yq eval ".provider.gcp.zone" constellation-conf.yaml)
|
|
./.github/actions/constellation_create/gcp-logs.sh ${GCP_ZONE} ${CONSTELL_UID}
|
|
;;
|
|
aws)
|
|
./.github/actions/constellation_create/aws-logs.sh us-east-2 ${CONSTELL_UID}
|
|
;;
|
|
esac
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload boot logs
|
|
if: always() && !env.ACT
|
|
continue-on-error: true
|
|
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
|
with:
|
|
name: serial-logs-${{ inputs.artifactNameSuffix }}
|
|
path: |
|
|
*.log
|
|
!terraform.log
|