Merge branch 'main' into mi/e2e-namespace

edgelesssys · Apr 26, 2024 · d0a7bf8 · d0a7bf8
2 parents 70e4c1a + 058eb93
commit d0a7bf8
Show file tree

Hide file tree

Showing 13 changed files with 37 additions and 31 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -213,8 +213,8 @@ jobs:
  --replace "ghcr.io/edgelesssys/contrast/node-installer:latest" "$nodeInstallerImgTagged"
  nix run .#kypatch namespace -- workspace/runtime.yml \
  --replace edg-default kube-system
- nix run .#scripts.write-emojivoto-demo -- "./image-replacements.txt" "deployments/emojivoto-demo.yml"
- zip -r deployments/emojivoto-demo.zip deployments/emojivoto-demo.yml
+ nix run .#scripts.write-emojivoto-demo -- "./image-replacements.txt" "deployment/emojivoto-demo.yml"
+ zip -r deployment/emojivoto-demo.zip deployment/emojivoto-demo.yml
  - name: Update coordinator policy hash
  run: |
  yq < workspace/coordinator.yml \
@@ -239,7 +239,7 @@ jobs:
  result-cli/bin/contrast
  workspace/coordinator.yml
  workspace/runtime.yml
- deployments/emojivoto-demo.zip
+ deployment/emojivoto-demo.zip
  - name: Reset temporary changes
  run: |
  git reset --hard ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
@@ -281,5 +281,5 @@ jobs:
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  /repos/edgelesssys/contrast/milestones \
- -f title='${NEXT_MINOR}' \
+ -f title="${NEXT_MINOR}" \
  -f state='open'
diff --git a/.gitignore b/.gitignore
@@ -13,3 +13,4 @@ go.work.sum
 node_modules
 .docusaurus
 build/
+.worktree
diff --git a/dev-docs/aks/nested-virt-internals.md b/dev-docs/aks/nested-virt-internals.md
@@ -155,12 +155,12 @@ This file is a serialization of [katautils.tomlConfig] and contains decent inlin
 option.
 
 <details>
-<summary>Example of a useful drop-in fragment</summary>
+<summary>Example of a drop-in fragment raising the default memory per VM</summary>
 
 ```sh
 cat >/opt/confidential-containers/share/defaults/kata-containers/config.d/10-memory.toml <<EOF
 [hypervisor.clh]
-default_memory = 256
+default_memory = 512
 EOF
 ```
 </details>
@@ -173,9 +173,11 @@ EOF
 
 There's [AKS documentation for resource management] which explains the basics of how CPU and
 memory are allocated for a Kata VM.
-The default memory allocation is quite high at 2GiB, which fills up the node fast.
-It's unclear why this default is chosen, given that the container limit's added on top of this
-value. Forcing a size with the pod annotation
+The default memory overhead added by the `RuntimeClass` is quite high at 2GiB, which fills up the node fast.
+It's unclear why this default is chosen, given that the container limit is added on top of this
+value and that the VMs are created with a 256MiB overhead.
+
+Forcing a size with the pod annotation
 `io.katacontainers.config.hypervisor.default_memory` would be possible, but the annotation would
 need to be allow-listed in the config setting `enable_annotations`.
 
@@ -186,7 +188,7 @@ need to be allow-listed in the config setting `enable_annotations`.
 
 ```toml
 [hypervisor.clh]
-default_memory = 2048 # MiB! Minimum seems to be around 256.
+default_memory = 256
 default_vcpus = 1
 enable_annotations = ["enable_iommu"]
 

diff --git a/docs/docs/examples/emojivoto.md b/docs/docs/examples/emojivoto.md
@@ -138,8 +138,6 @@ to the workloads using the Coordinator's `mesh-root.pem` as a trusted CA certifi
 To access the web frontend, expose the service on a public IP address via a LoadBalancer service:
 
 ```sh
-kubectl patch svc web-svc -p '{"spec": {"type": "LoadBalancer"}}'
-timeout 30s bash -c 'until kubectl get service/web-svc --output=jsonpath='{.status.loadBalancer}' | grep "ingress"; do sleep 2 ; done'
 frontendIP=$(kubectl get svc web-svc -o=jsonpath='{.status.loadBalancer.ingress[0].ip}')
 echo "Frontend is available at https://$frontendIP, you can visit it in your browser."
 ```

diff --git a/docs/docs/getting-started/cluster-setup.md b/docs/docs/getting-started/cluster-setup.md
@@ -144,8 +144,7 @@ In case you've created a new resource group, you can just delete that group with
 
 ```sh
 az group delete \
- --name "$azResourceGroup" \
- --location "$azLocation"
+ --name "$azResourceGroup"
 ```
 
 Deleting the resource group will also delete the cluster and all other related resources.

diff --git a/docs/versioned_docs/version-0.5.0/examples/emojivoto.md b/docs/versioned_docs/version-0.5.0/examples/emojivoto.md
@@ -138,8 +138,6 @@ to the workloads using the Coordinator's `mesh-root.pem` as a trusted CA certifi
 To access the web frontend, expose the service on a public IP address via a LoadBalancer service:
 
 ```sh
-kubectl patch svc web-svc -p '{"spec": {"type": "LoadBalancer"}}'
-timeout 30s bash -c 'until kubectl get service/web-svc --output=jsonpath='{.status.loadBalancer}' | grep "ingress"; do sleep 2 ; done'
 frontendIP=$(kubectl get svc web-svc -o=jsonpath='{.status.loadBalancer.ingress[0].ip}')
 echo "Frontend is available at https://$frontendIP, you can visit it in your browser."
 ```

diff --git a/docs/versioned_docs/version-0.5.0/getting-started/cluster-setup.md b/docs/versioned_docs/version-0.5.0/getting-started/cluster-setup.md
@@ -144,8 +144,7 @@ In case you've created a new resource group, you can just delete that group with
 
 ```sh
 az group delete \
- --name "$azResourceGroup" \
- --location "$azLocation"
+ --name "$azResourceGroup"
 ```
 
 Deleting the resource group will also delete the cluster and all other related resources.

diff --git a/e2e/internal/kubeclient/deploy.go b/e2e/internal/kubeclient/deploy.go
@@ -84,20 +84,21 @@ func (c *Kubeclient) WaitForDeployment(ctx context.Context, namespace, name stri
  if ctx.Err() != context.DeadlineExceeded {
  return ctx.Err()
  }
+ ctxErr := ctx.Err()
  // Fetch and print debug information.
  ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
  defer cancel()
  pods, err := c.PodsFromDeployment(ctx, namespace, name) //nolint:contextcheck // The parent context expired.
  if err != nil {
  logger.Error("could not fetch pods for deployment", "name", name, "error", err)
- return ctx.Err()
+ return ctxErr
  }
  for _, pod := range pods {
  if !isPodReady(&pod) {
  logger.Debug("pod not ready", "name", pod.Name, "status", c.toJSON(pod.Status))
  }
  }
- return ctx.Err()
+ return ctxErr
  }
  }
 }

diff --git a/e2e/internal/kuberesource/parts.go b/e2e/internal/kuberesource/parts.go
@@ -18,7 +18,7 @@ func ContrastRuntimeClass() *RuntimeClassConfig {
  r := RuntimeClass(runtimeHandler).
  WithHandler(runtimeHandler).
  WithLabels(map[string]string{"addonmanager.kubernetes.io/mode": "Reconcile"}).
- WithOverhead(Overhead(corev1.ResourceList{"memory": resource.MustParse("2Gi")})).
+ WithOverhead(Overhead(corev1.ResourceList{"memory": resource.MustParse("1152Mi")})).
  WithScheduling(Scheduling(map[string]string{"kubernetes.azure.com/kata-cc-isolation": "true"}))
 
  return &RuntimeClassConfig{r}

diff --git a/e2e/internal/kuberesource/resourcegen/main.go b/e2e/internal/kuberesource/resourcegen/main.go
@@ -44,7 +44,7 @@ func main() {
  case "openssl":
  resources, err = kuberesource.OpenSSL()
  case "emojivoto":
- resources, err = kuberesource.Emojivoto()
+ resources, err = kuberesource.Emojivoto(kuberesource.ServiceMeshDisabled)
  default:
  fmt.Printf("Error: unknown set: %s\n", set)
  os.Exit(1)

diff --git a/e2e/servicemesh/servicemesh_test.go b/e2e/servicemesh/servicemesh_test.go
@@ -30,9 +30,13 @@ var imageReplacements map[string]string
 func TestIngressEgress(t *testing.T) {
  ct := contrasttest.New(t, imageReplacements)
 
- resources, err := kuberesource.EmojivotoIngressEgress()
+ resources, err := kuberesource.Emojivoto(kuberesource.ServiceMeshIngressEgress)
  require.NoError(t, err)
 
+ coordinator := kuberesource.Coordinator("").DeploymentApplyConfiguration
+ coordinatorService := kuberesource.ServiceForDeployment(coordinator)
+ resources = append(resources, coordinator, coordinatorService)
+
  ct.Init(t, resources)
 
  require.True(t, t.Run("generate", ct.Generate), "contrast generate needs to succeed for subsequent tests")

diff --git a/go.work b/go.work
@@ -1,7 +1,9 @@
-go 1.21
+go 1.22.0
+
+toolchain go1.22.2
 
 use (
  .
- ./service-mesh
  ./node-installer
+ ./service-mesh
 )
diff --git a/internal/attestation/snp/issuer.go b/internal/attestation/snp/issuer.go
@@ -71,14 +71,16 @@ func (i *Issuer) Issue(_ context.Context, ownPublicKey []byte, nonce []byte) (re
  i.logger.Info("Retrieved report", "reportRaw", hex.EncodeToString(reportRaw))
 
  // Get cert chain from THIM
+ var certChain *spb.CertificateChain
  thimRaw, err := i.thimGetter.GetCertification()
  if err != nil {
- return nil, fmt.Errorf("issuer: getting cert chain from THIM: %w", err)
- }
- i.logger.Info("Retrieved THIM certification", "thim", thimRaw)
- certChain, err := thimRaw.Proto()
- if err != nil {
- return nil, fmt.Errorf("issuer: converting THIM cert chain: %w", err)
+ i.logger.Info("Could not retrieve THIM certification", "error", err)
+ } else {
+ i.logger.Info("Retrieved THIM certification", "thim", thimRaw)
+ certChain, err = thimRaw.Proto()
+ if err != nil {
+ return nil, fmt.Errorf("issuer: converting THIM cert chain: %w", err)
+ }
  }
 
  // Get SNP product info from cpuid