diff --git a/.github/actions/find_latest_image/action.yml b/.github/actions/find_latest_image/action.yml new file mode 100644 index 0000000000..7b8fba259f --- /dev/null +++ b/.github/actions/find_latest_image/action.yml @@ -0,0 +1,69 @@ +name: Find latest image +description: 'Find the latest image reference for a given ref/stream.' + +inputs: + git-ref: + description: 'Git ref to checkout.' + imageVersion: + description: 'Image version to use. If set, no image will be searched for and the specified image will be returned.' + ref: + description: 'The ref the image was built on. (e.g. "main")' + default: 'main' + stream: + description: 'The publication stream of the image. (e.g. "debug")' + default: 'debug' + +outputs: + image: + description: "Image reference to be used in the cluster." + value: ${{ steps.find-latest-image.outputs.output }}${{ steps.check-input.outputs.image }} + isDebugImage: + description: "Whether the image is a debug image." + value: ${{ steps.isDebugImage.outputs.isDebugImage }} + +runs: + using: 'composite' + steps: + - name: Checkout head + if: inputs.imageVersion == '' && inputs.git-ref == 'head' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} + + - name: Checkout ref + if: inputs.imageVersion == '' && inputs.git-ref != 'head' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + ref: ${{ inputs.git-ref }} + + - name: Login to AWS + if: inputs.imageVersion == '' + uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 + with: + role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead + aws-region: eu-central-1 + + - name: Find latest image + id: find-latest-image + if: inputs.imageVersion == '' + uses: ./.github/actions/versionsapi + with: + command: latest + ref: ${{ inputs.ref }} + stream: ${{ inputs.stream }} + + - name: Is debug image? + id: isDebugImage + shell: bash + run: | + case "${{ inputs.imageVersion }}" in + "") + echo "isDebugImage=true" | tee -a "$GITHUB_OUTPUT" + ;; + *"/stream/debug/"*) + echo "isDebugImage=true" | tee -a "$GITHUB_OUTPUT" + ;; + *) + echo "isDebugImage=false" | tee -a "$GITHUB_OUTPUT" + ;; + esac diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml index 3c081d0038..60b40886f5 100644 --- a/.github/actions/self_managed_create/action.yml +++ b/.github/actions/self_managed_create/action.yml @@ -84,7 +84,7 @@ runs: working-directory: ${{ github.workspace }}/e2e-infra if: inputs.cloudProvider == 'azure' run: | - bazel run //hack/maa-patch:maa-patch $(terraform output attestationURL | jq -r) + ./constellation maa-patch $(terraform output attestationURL | jq -r) - name: Write outputs to state file shell: bash diff --git a/.github/actions/upload_terraform_module/action.yml b/.github/actions/upload_terraform_module/action.yml index 6d7e88b0d0..bd1c9c0d7b 100644 --- a/.github/actions/upload_terraform_module/action.yml +++ b/.github/actions/upload_terraform_module/action.yml @@ -1,5 +1,10 @@ name: Upload Terraform module description: "Upload the Terraform module as an artifact." + +inputs: + version: + description: "The Constellation CLI version to use in the Terraform Module. Leave empty when a built CLI is already present when applying the module." + runs: using: "composite" steps: @@ -9,15 +14,23 @@ runs: cp -r terraform terraform-module find terraform-module -name "*.go" -type f -delete find terraform-module -name "*.bazel" -type f -delete + + - name: Stamp version + shell: bash + run: | + sed -i "s/@@CONSTELLATION_VERSION@@/${{ inputs.version }}/g" terraform-module/constellation-cluster/variables.tf + - name: Zip terraform dir shell: bash run: | zip -r terraform-module.zip terraform-module + - name: Upload artifact uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3 with: name: terraform-module path: terraform-module.zip + - name: Cleanup Terraform module dir shell: bash run: | diff --git a/.github/workflows/e2e-test-tf-module.yml b/.github/workflows/e2e-test-tf-module.yml index 1ec6dd0e94..0ea8f91b7c 100644 --- a/.github/workflows/e2e-test-tf-module.yml +++ b/.github/workflows/e2e-test-tf-module.yml @@ -6,32 +6,28 @@ on: ref: type: string description: "Git ref to checkout" - required: false cloudProvider: description: "Which cloud provider to use." type: choice options: - "aws" + - "azure" - "gcp" required: true regionZone: description: "Region or zone to create the cluster in. Leave empty for default region/zone." type: string image: - description: "Node image version of the cluster." + description: "OS Image version used in the cluster's VMs, as specified in the Constellation config. If not set, the latest nightly image from main is used." type: string - required: true cliVersion: description: "Constellation CLI version to use. Empty value means build from source." type: string - default: "" - required: false workflow_call: inputs: ref: type: string description: "Git ref to checkout" - required: false cloudProvider: description: "Which cloud provider to use." type: string @@ -40,16 +36,14 @@ on: description: "Which zone to use." type: string image: - description: "Node image reference which is compatible with the current dev release version." + description: "OS Image version used in the cluster's VMs, as specified in the Constellation config. If not set, the latest nightly image from main is used." type: string - required: true cliVersion: description: "Constellation CLI version to use. Empty value means build from source." type: string - default: "" - required: false + jobs: - build: + tf-module-test: runs-on: ubuntu-22.04 permissions: id-token: write @@ -62,16 +56,30 @@ jobs: with: ref: ${{ inputs.ref || github.head_ref }} - - name: Upload module + - name: Get Latest Image + id: find-latest-image + uses: ./.github/actions/find_latest_image + with: + git-ref: ${{ inputs.ref }} + imageVersion: ${{ inputs.image }} + ref: main + stream: nightly + + - name: Upload Terraform module uses: ./.github/actions/upload_terraform_module + with: + version: ${{ inputs.cliVersion }} - name: Download Terraform module - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: terraform-module - name: Unzip Terraform module - run: unzip terraform-module.zip + shell: bash + run: | + unzip terraform-module.zip -d ${{ github.workspace }} + rm terraform-module.zip - name: Create resource prefix id: create-prefix @@ -83,29 +91,62 @@ jobs: - name: Create AWS Terraform variable input file if: inputs.cloudProvider == 'aws' - working-directory: ./terraform-module/aws-constellation + working-directory: ${{ github.workspace }}/terraform-module/aws-constellation + shell: bash run: | cat > terraform.tfvars < terraform.tfvars < terraform.tfvars <> /etc/hosts' @@ -191,6 +235,12 @@ jobs: # extend token expiry to 6 hours to ensure constellation can terminate role-duration-seconds: 21600 + - name: Login to Azure (IAM + Cluster service principal) + if: inputs.cloudProvider == 'azure' + uses: ./.github/actions/login_azure + with: + azure_credentials: ${{ secrets.AZURE_E2E_TF_CREDENTIALS }} + - name: Login to GCP (IAM + Cluster service account) if: inputs.cloudProvider == 'gcp' uses: ./.github/actions/login_gcp @@ -199,22 +249,25 @@ jobs: - name: Apply Terraform Cluster id: apply_terraform - working-directory: ./terraform-module/${{ inputs.cloudProvider }}-constellation + working-directory: ${{ github.workspace }}/terraform-module/${{ inputs.cloudProvider }}-constellation + shell: bash run: | cp ../../constellation . terraform init terraform apply -var-file=terraform.tfvars -auto-approve - name: Destroy Terraform Cluster - # outcome is part of the steps context (https://docs.github.com/en/actions/learn-github-actions/contexts#steps-context) + # outcome is part of the steps context (https://docs.github.com/en/actions/learn-github-actions/contexts#steps-context) if: always() && steps.apply_terraform.outcome != 'skipped' - working-directory: ./terraform-module/${{ inputs.cloudProvider }}-constellation + working-directory: ${{ github.workspace }}/terraform-module/${{ inputs.cloudProvider }}-constellation + shell: bash run: | terraform init terraform destroy -var-file=terraform.tfvars -auto-approve - name: Verify cleanup - working-directory: ./terraform-module/${{ inputs.cloudProvider }}-constellation + working-directory: ${{ github.workspace }}/terraform-module/${{ inputs.cloudProvider }}-constellation + shell: bash run: | if [ -f constellation-mastersecret.json ] || [ -f constellation-conf.yaml ]; then echo "Files constellation-mastersecret.json or constellation-conf.yaml still exist" diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml index 8af75d8590..10661736dc 100644 --- a/.github/workflows/e2e-test-weekly.yml +++ b/.github/workflows/e2e-test-weekly.yml @@ -376,20 +376,14 @@ jobs: max-parallel: 5 matrix: include: - - test: "GCP" - provider: "gcp" - regionZone: "europe-west2-a" - - test: "AWS" - provider: "aws" - regionZone: "us-east-2c" + - provider: "gcp" + - provider: "aws" + - provider: "azure" permissions: id-token: write contents: read packages: write - needs: [find-latest-image] secrets: inherit uses: ./.github/workflows/e2e-test-tf-module.yml with: cloudProvider: "${{ matrix.provider }}" - regionZone: "${{ matrix.regionZone }}" - image: ${{ needs.find-latest-image.outputs.image-main-nightly }} diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index dc90d114da..587518d86a 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -151,64 +151,18 @@ jobs: id-token: write contents: read outputs: - image: ${{ steps.find-latest-image.outputs.output }}${{ steps.check-input.outputs.image }} - isDebugImage: ${{ steps.isDebugImage.outputs.isDebugImage }} + image: ${{ steps.find-latest-image.outputs.image }} + isDebugImage: ${{ steps.find-latest-image.outputs.isDebugImage }} steps: - - name: Check input - id: check-input - shell: bash - run: | - if [[ -z "${{ inputs.imageVersion }}" ]]; then - echo "Using latest debug image from main." - exit 0 - else - echo "image=${{ inputs.imageVersion }}" | tee -a "$GITHUB_OUTPUT" - fi - - - name: Checkout head - if: inputs.imageVersion == '' && inputs.git-ref == 'head' - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - with: - ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - - - name: Checkout ref - if: inputs.imageVersion == '' && inputs.git-ref != 'head' - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - with: - ref: ${{ inputs.git-ref }} - - - name: Login to AWS - if: inputs.imageVersion == '' - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 - with: - role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead - aws-region: eu-central-1 - - - name: Find latest image + - name: Get Latest Image id: find-latest-image - if: inputs.imageVersion == '' - uses: ./.github/actions/versionsapi + uses: ./.github/actions/find_latest_image with: - command: latest + git-ref: ${{ inputs.git-ref }} + imageVersion: ${{ inputs.imageVersion }} ref: main stream: debug - - name: Is debug image? - id: isDebugImage - shell: bash - run: | - case "${{ inputs.imageVersion }}" in - "") - echo "isDebugImage=true" | tee -a "$GITHUB_OUTPUT" - ;; - *"/stream/debug/"*) - echo "isDebugImage=true" | tee -a "$GITHUB_OUTPUT" - ;; - *) - echo "isDebugImage=false" | tee -a "$GITHUB_OUTPUT" - ;; - esac - e2e-test-manual: runs-on: ${{ inputs.runner }} permissions: diff --git a/.github/workflows/release-cli.yml b/.github/workflows/release-cli.yml index 5d802ecc32..023a9d8410 100644 --- a/.github/workflows/release-cli.yml +++ b/.github/workflows/release-cli.yml @@ -76,9 +76,6 @@ jobs: with: ref: ${{ inputs.ref || github.head_ref }} - - name: Upload Terraform module - uses: ./.github/actions/upload_terraform_module - - name: Setup bazel uses: ./.github/actions/setup_bazel_nix with: @@ -112,6 +109,20 @@ jobs: build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe.sig + upload-terraform-module: + runs-on: ubuntu-22.04 + steps: + - name: Checkout + id: checkout + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + ref: ${{ inputs.ref || github.head_ref }} + + - name: Upload Terraform module + uses: ./.github/actions/upload_terraform_module + with: + version: ${{ inputs.versionName }} + push-containers: runs-on: ubuntu-22.04 if: inputs.pushContainers @@ -148,6 +159,7 @@ jobs: needs: - build-cli - signed-sbom + - upload-terraform-module outputs: provenance-subjects: ${{ steps.provenance-subjects.outputs.provenance-subjects }} steps: @@ -278,6 +290,7 @@ jobs: needs: - build-cli - provenance + - upload-terraform-module steps: - name: Download CLI binaries darwin-amd64 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 @@ -356,6 +369,7 @@ jobs: - build-cli - provenance - signed-sbom + - upload-terraform-module steps: - name: Write cosign public key run: echo "$COSIGN_PUBLIC_KEY" > cosign.pub diff --git a/cli/cmd/root.go b/cli/cmd/root.go index c6e52f4f4d..6baaf3f1ff 100644 --- a/cli/cmd/root.go +++ b/cli/cmd/root.go @@ -61,6 +61,7 @@ func NewRootCmd() *cobra.Command { rootCmd.AddCommand(cmd.NewIAMCmd()) rootCmd.AddCommand(cmd.NewVersionCmd()) rootCmd.AddCommand(cmd.NewInitCmd()) + rootCmd.AddCommand(cmd.NewMaaPatchCmd()) return rootCmd } diff --git a/cli/internal/cmd/BUILD.bazel b/cli/internal/cmd/BUILD.bazel index 40fe21ed9d..f4b9797cdc 100644 --- a/cli/internal/cmd/BUILD.bazel +++ b/cli/internal/cmd/BUILD.bazel @@ -26,6 +26,7 @@ go_library( "iamupgradeapply.go", "init.go", "log.go", + "maapatch.go", "mini.go", "minidown.go", "miniup.go", @@ -78,6 +79,7 @@ go_library( "//internal/kms/uri", "//internal/license", "//internal/logger", + "//internal/maa", "//internal/retry", "//internal/semver", "//internal/sigstore", @@ -129,6 +131,7 @@ go_test( "iamdestroy_test.go", "iamupgradeapply_test.go", "init_test.go", + "maapatch_test.go", "recover_test.go", "spinner_test.go", "status_test.go", diff --git a/cli/internal/cmd/maapatch.go b/cli/internal/cmd/maapatch.go new file mode 100644 index 0000000000..7db1abb5c5 --- /dev/null +++ b/cli/internal/cmd/maapatch.go @@ -0,0 +1,71 @@ +/* +Copyright (c) Edgeless Systems GmbH + +SPDX-License-Identifier: AGPL-3.0-only +*/ + +package cmd + +import ( + "context" + "fmt" + "net/url" + + "github.com/edgelesssys/constellation/v2/internal/maa" + "github.com/spf13/cobra" +) + +// NewMaaPatchCmd returns a new cobra.Command for the maa-patch command. +func NewMaaPatchCmd() *cobra.Command { + cmd := &cobra.Command{ + Use: "maa-patch ", + Short: "Patch the MAA's attestation policy", + Long: "Patch the MAA's attestation policy.", + Args: cobra.MatchAll( + cobra.ExactArgs(1), + func(cmd *cobra.Command, args []string) error { + if _, err := url.Parse(args[0]); err != nil { + return fmt.Errorf("argument %s is not a valid URL: %w", args[0], err) + } + return nil + }, + ), + RunE: runPatchMAA, + Hidden: true, // we don't want to show this command to the user directly. + } + + return cmd +} + +type maaPatchCmd struct { + log debugLog + patcher patcher +} + +func runPatchMAA(cmd *cobra.Command, args []string) error { + log, err := newCLILogger(cmd) + if err != nil { + return fmt.Errorf("creating logger: %w", err) + } + defer log.Sync() + + p := maa.NewAzurePolicyPatcher() + + c := &maaPatchCmd{log: log, patcher: p} + + return c.patchMAA(cmd, args[0]) +} + +func (c *maaPatchCmd) patchMAA(cmd *cobra.Command, attestationURL string) error { + c.log.Debugf("Using attestation URL %s", attestationURL) + + if err := c.patcher.Patch(cmd.Context(), attestationURL); err != nil { + return fmt.Errorf("patching MAA attestation policy: %w", err) + } + + return nil +} + +type patcher interface { + Patch(ctx context.Context, attestationURL string) error +} diff --git a/cli/internal/cmd/maapatch_test.go b/cli/internal/cmd/maapatch_test.go new file mode 100644 index 0000000000..bbd0e165fa --- /dev/null +++ b/cli/internal/cmd/maapatch_test.go @@ -0,0 +1,59 @@ +/* +Copyright (c) Edgeless Systems GmbH + +SPDX-License-Identifier: AGPL-3.0-only +*/ + +package cmd + +import ( + "context" + "testing" + + "github.com/edgelesssys/constellation/v2/internal/logger" + "github.com/spf13/cobra" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestMAAPatch(t *testing.T) { + testCases := map[string]struct { + attestationURL string + patcher *stubPolicyPatcher + wantErr bool + }{ + "success": { + attestationURL: "https://example.com", + patcher: &stubPolicyPatcher{}, + wantErr: false, + }, + "patch error": { + attestationURL: "https://example.com", + patcher: &stubPolicyPatcher{patchErr: assert.AnError}, + wantErr: true, + }, + } + + for name, tc := range testCases { + t.Run(name, func(t *testing.T) { + require := require.New(t) + + c := &maaPatchCmd{log: logger.NewTest(t), patcher: tc.patcher} + err := c.patchMAA(&cobra.Command{}, tc.attestationURL) + if tc.wantErr { + require.Error(err) + } else { + require.NoError(err) + } + }) + } +} + +type stubPolicyPatcher struct { + patchErr error +} + +// Patch implements the patcher interface. +func (p *stubPolicyPatcher) Patch(context.Context, string) error { + return p.patchErr +} diff --git a/dev-docs/workflows/release.md b/dev-docs/workflows/release.md index 28efa0af07..9eca1b9fc4 100644 --- a/dev-docs/workflows/release.md +++ b/dev-docs/workflows/release.md @@ -30,10 +30,6 @@ Releases should be performed using [the automated release pipeline](https://gith git push origin ${working_branch} ``` -### Update CLI version for Terraform module - -Update the `version` inside `terraform/constellation-cluster/install-constellation.sh` to the new release. - ### Patch release 1. `cherry-pick` (only) the required commits from `main` diff --git a/docs/docs/workflows/create.md b/docs/docs/workflows/create.md index 7858b5d8bf..da8068b9e3 100644 --- a/docs/docs/workflows/create.md +++ b/docs/docs/workflows/create.md @@ -249,19 +249,21 @@ To self-manage the infrastructure of your cluster, download the Terraform files They contain a minimum configuration for the resources necessary to run a Constellation cluster on the corresponding CSP. From this base, you can now add, edit, or substitute resources per your own requirements with the infrastructure management tooling of your choice. You need to keep the essential functionality of the base configuration in order for your cluster to function correctly. + + :::info On Azure, if the enforcement policy is set to `MAAFallback` in `constellation-config.yaml`, a manual update to the MAA provider's policy is necessary. - You can apply the update with the following commands, where `` is the version of Constellation that should be set up. (e.g. `v2.12.0`) + You can apply the update with the following command after creating the infrastructure, with `` being the URL of the MAA provider (i.e., `$(terraform output attestationURL | jq -r)`, when using the minimal Terraform configuration). ```bash - git clone --branch https://github.com/edgelesssys/constellation - cd constellation/hack/maa-patch - go run . $(terraform output attestationURL | jq -r) + constellation maa-patch ``` ::: + + Make sure all necessary resources are created, e.g., through checking your CSP's portal and retrieve the necessary values, aligned with the outputs (specified in `outputs.tf`) of the base configuration. Fill these outputs into the corresponding fields of the `constellation-state.yaml` file. For example, fill the IP or DNS name your cluster can be reached at into the `.Infrastructure.ClusterEndpoint` field. diff --git a/hack/clidocgen/main.go b/hack/clidocgen/main.go index 83860cd9fc..b63b796cb3 100644 --- a/hack/clidocgen/main.go +++ b/hack/clidocgen/main.go @@ -28,6 +28,9 @@ func main() { cmdList := &bytes.Buffer{} body := &bytes.Buffer{} for _, c := range allSubCommands(rootCmd) { + if c.Hidden { + continue + } name := c.Name() fullName, level := determineFullNameAndLevel(c) diff --git a/hack/maa-patch/BUILD.bazel b/hack/maa-patch/BUILD.bazel deleted file mode 100644 index fdcf3f696a..0000000000 --- a/hack/maa-patch/BUILD.bazel +++ /dev/null @@ -1,22 +0,0 @@ -load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library") -load("//bazel/go:go_test.bzl", "go_test") - -go_library( - name = "maa-patch_lib", - srcs = ["main.go"], - importpath = "github.com/edgelesssys/constellation/v2/hack/maa-patch", - visibility = ["//visibility:private"], - deps = ["//internal/maa"], -) - -go_binary( - name = "maa-patch", - embed = [":maa-patch_lib"], - visibility = ["//visibility:public"], -) - -go_test( - name = "maa-patch_test", - srcs = ["main_test.go"], - embed = [":maa-patch_lib"], -) diff --git a/hack/maa-patch/main.go b/hack/maa-patch/main.go deleted file mode 100644 index 42fce2876d..0000000000 --- a/hack/maa-patch/main.go +++ /dev/null @@ -1,33 +0,0 @@ -/* -Copyright (c) Edgeless Systems GmbH - -SPDX-License-Identifier: AGPL-3.0-only -*/ -package main - -import ( - "context" - "fmt" - "net/url" - "os" - - "github.com/edgelesssys/constellation/v2/internal/maa" -) - -func main() { - if len(os.Args) != 2 { - fmt.Fprintf(os.Stderr, "Usage: %s \n", os.Args[0]) - os.Exit(1) - } - - attestationURL := os.Args[1] - if _, err := url.Parse(attestationURL); err != nil { - fmt.Fprintf(os.Stderr, "Invalid attestation URL: %s\n", err) - os.Exit(1) - } - - p := maa.NewAzurePolicyPatcher() - if err := p.Patch(context.Background(), attestationURL); err != nil { - panic(err) - } -} diff --git a/hack/maa-patch/main_test.go b/hack/maa-patch/main_test.go deleted file mode 100644 index fa73af23e8..0000000000 --- a/hack/maa-patch/main_test.go +++ /dev/null @@ -1,13 +0,0 @@ -/* -Copyright (c) Edgeless Systems GmbH - -SPDX-License-Identifier: AGPL-3.0-only -*/ - -package main - -import "testing" - -func TestNop(t *testing.T) { - t.Skip("This is a nop-test to catch build-time errors in this package.") -} diff --git a/terraform/aws-constellation/main.tf b/terraform/aws-constellation/main.tf index d06c7a43e3..de6935de38 100644 --- a/terraform/aws-constellation/main.tf +++ b/terraform/aws-constellation/main.tf @@ -12,7 +12,7 @@ module "aws_iam" { resource "null_resource" "ensure_yq" { provisioner "local-exec" { command = < "image.txt" + + if [ '${var.csp}' = 'azure' ]; then + sed -i 's/CommunityGalleries/communityGalleries/g' image.txt + sed -i 's/Images/images/g' image.txt + sed -i 's/Versions/versions/g' image.txt + fi EOT } + resource "null_resource" "fetch_image" { provisioner "local-exec" { command = local.fetch_image_command diff --git a/terraform/fetch-image/output.tf b/terraform/common/fetch-image/output.tf similarity index 100% rename from terraform/fetch-image/output.tf rename to terraform/common/fetch-image/output.tf diff --git a/terraform/fetch-image/variables.tf b/terraform/common/fetch-image/variables.tf similarity index 100% rename from terraform/fetch-image/variables.tf rename to terraform/common/fetch-image/variables.tf diff --git a/terraform/common/install-yq.sh b/terraform/common/install-yq.sh new file mode 100755 index 0000000000..14c375fd99 --- /dev/null +++ b/terraform/common/install-yq.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash +version="v4.35.2" +if [[ -f ./yq ]] && ./yq --version | grep -q "${version}"; then + echo "yq is already available and up to date." + exit 0 +fi +if [[ -f ./yq ]]; then + echo "yq is already available but not at the required version. Replacing with ${version}." + rm -f yq +fi + +echo "Fetching yq ${version}" +os=$(uname -s) +arch=$(uname -m) +url="" + +if [[ ${os} == "Darwin" ]]; then + if [[ ${arch} == "arm64" ]]; then + url="https://github.com/mikefarah/yq/releases/download/${version}/yq_darwin_arm64" + elif [[ ${arch} == "x86_64" ]]; then + url="https://github.com/mikefarah/yq/releases/download/${version}/yq_darwin_amd64" + fi +elif [[ ${os} == "Linux" ]]; then + if [[ ${arch} == "x86_64" ]]; then + url="https://github.com/mikefarah/yq/releases/download/${version}/yq_linux_amd64" + elif [[ ${arch} == "arm64" ]]; then + url="https://github.com/mikefarah/yq/releases/download/${version}/yq_linux_arm64" + fi +fi + +if [[ -z ${url} ]]; then + echo "os \"${os}\" and/or architecture \"${arch}\" is not supported." + exit 1 +else + echo "Downloading yq from ${url}" + curl -o yq -L "${url}" + chmod +x ./yq + ./yq --version + if ! ./yq --version | grep -q "${version}"; then # check that yq was installed correctly + echo "Version is incorrect" + exit 1 + fi +fi diff --git a/terraform/constellation-cluster/install-constellation.sh b/terraform/constellation-cluster/install-constellation.sh index 752d2988b1..b056db21a7 100755 --- a/terraform/constellation-cluster/install-constellation.sh +++ b/terraform/constellation-cluster/install-constellation.sh @@ -1,29 +1,32 @@ #!/usr/bin/env bash -if [[ -f ./constellation ]]; then # needed to allow using devbuilds +if [[ -f ./constellation ]]; then echo "constellation CLI is already available." exit 0 fi -version="v2.13.0" + os=$(uname -s) arch=$(uname -m) +version=$1 url="" + +echo "Fetching constellation ${version}" + if [[ ${os} == "Darwin" ]]; then if [[ ${arch} == "arm64" ]]; then - url="https://github.com/edgelesssys/constellation/releases/download/${version}/constellation-darwin-arm64" + url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-darwin-arm64" elif [[ ${arch} == "x86_64" ]]; then - url="https://github.com/edgelesssys/constellation/releases/download/${version}/constellation-darwin-amd64" + url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-darwin-amd64" fi elif [[ ${os} == "Linux" ]]; then if [[ ${arch} == "x86_64" ]]; then - url="https://github.com/edgelesssys/constellation/releases/download/${version}/constellation-linux-amd64" + url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-linux-amd64" elif [[ ${arch} == "arm64" ]]; then - url="https://github.com/edgelesssys/constellation/releases/download/${version}/constellation-linux-arm64" + url="https://github.com/edgelesssys/constellation/releases/${version}/download/constellation-linux-arm64" fi fi -echo "Fetching constellation ${version}" if [[ -z ${url} ]]; then - echo "OS \"${os}\" and/or architecture \"${arch}\" is not supported." + echo "os \"${os}\" and/or architecture \"${arch}\" is not supported." exit 1 else curl -o constellation -L "${url}" diff --git a/terraform/constellation-cluster/install-yq.sh b/terraform/constellation-cluster/install-yq.sh deleted file mode 100755 index 12b62c1c45..0000000000 --- a/terraform/constellation-cluster/install-yq.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/usr/bin/env bash -VERSION="v4.35.2" -if [[ -f ./yq ]] && ./yq --version | grep -q "${VERSION}"; then - echo "yq is already available and up to date." - exit 0 -fi -if [[ -f ./yq ]]; then - echo "yq is already available but not at the required version. Replacing with ${VERSION}." - rm -f yq -fi - -echo "Fetching yq ${VERSION}" -OS=$(uname -s) -ARCH=$(uname -m) -URL="" - -if [[ ${OS} == "Darwin" ]]; then - if [[ ${ARCH} == "arm64" ]]; then - URL="https://github.com/mikefarah/yq/releases/download/${VERSION}/yq_darwin_arm64" - elif [[ ${ARCH} == "x86_64" ]]; then - URL="https://github.com/mikefarah/yq/releases/download/${VERSION}/yq_darwin_amd64" - fi -elif [[ ${OS} == "Linux" ]]; then - if [[ ${ARCH} == "x86_64" ]]; then - URL="https://github.com/mikefarah/yq/releases/download/${VERSION}/yq_linux_amd64" - elif [[ ${ARCH} == "arm64" ]]; then - URL="https://github.com/mikefarah/yq/releases/download/${VERSION}/yq_linux_arm64" - fi -fi - -if [[ -z ${URL} ]]; then - echo "OS \"${OS}\" and/or architecture \"${ARCH}\" is not supported." - exit 1 -else - echo "Downloading yq from ${URL}" - curl -o yq -L "${URL}" - chmod +x ./yq - ./yq --version - if ! ./yq --version | grep -q "${VERSION}"; then # check that yq was installed correctly - echo "Version is incorrect" - exit 1 - fi -fi diff --git a/terraform/constellation-cluster/main.tf b/terraform/constellation-cluster/main.tf index a067d25dc9..1138c33a94 100644 --- a/terraform/constellation-cluster/main.tf +++ b/terraform/constellation-cluster/main.tf @@ -15,7 +15,7 @@ locals { resource "null_resource" "ensure_cli" { provisioner "local-exec" { command = < "${local.gcp_sa_file_path}" - EOT } provisioner "local-exec" { @@ -81,7 +108,6 @@ resource "null_resource" "gcp_config" { ./yq eval '.provider.gcp.region = "${var.gcp_config.region}"' -i constellation-conf.yaml ./yq eval '.provider.gcp.zone = "${var.gcp_config.zone}"' -i constellation-conf.yaml ./yq eval '.provider.gcp.serviceAccountKeyPath = "${local.gcp_sa_file_path}"' -i constellation-conf.yaml - ./yq eval '.infrastructure.gcp.projectID = "${var.gcp_config.project}"' -i constellation-state.yaml ./yq eval '.infrastructure.gcp.ipCidrPod = "${var.gcp_config.ipCidrPod}"' -i constellation-state.yaml EOT @@ -99,21 +125,21 @@ resource "null_resource" "config" { command = < 0 - error_message = "The image variable must not be empty." - } -} - variable "kubernetes_version" { type = string description = "Kubernetes version." @@ -100,3 +120,9 @@ variable "microservice_version" { type = string description = "Microservice version." } + +variable "debug" { + type = bool + default = false + description = "DON'T USE IN PRODUCTION: Enable debug mode and allow the use of debug images." +} diff --git a/terraform/gcp-constellation/main.tf b/terraform/gcp-constellation/main.tf index 1632925636..cd4887ea1f 100644 --- a/terraform/gcp-constellation/main.tf +++ b/terraform/gcp-constellation/main.tf @@ -14,7 +14,7 @@ module "gcp_iam" { resource "null_resource" "ensure_yq" { provisioner "local-exec" { command = <