diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 64bae5c956..c0b6592068 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -213,8 +213,8 @@ jobs: --replace "ghcr.io/edgelesssys/contrast/node-installer:latest" "$nodeInstallerImgTagged" nix run .#kypatch namespace -- workspace/runtime.yml \ --replace edg-default kube-system - nix run .#scripts.write-emojivoto-demo -- "./image-replacements.txt" "deployments/emojivoto-demo.yml" - zip -r deployments/emojivoto-demo.zip deployments/emojivoto-demo.yml + nix run .#scripts.write-emojivoto-demo -- "./image-replacements.txt" "deployment/emojivoto-demo.yml" + zip -r deployment/emojivoto-demo.zip deployment/emojivoto-demo.yml - name: Update coordinator policy hash run: | yq < workspace/coordinator.yml \ @@ -239,7 +239,7 @@ jobs: result-cli/bin/contrast workspace/coordinator.yml workspace/runtime.yml - deployments/emojivoto-demo.zip + deployment/emojivoto-demo.zip - name: Reset temporary changes run: | git reset --hard ${{ needs.process-inputs.outputs.WORKING_BRANCH }} @@ -281,5 +281,5 @@ jobs: -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ /repos/edgelesssys/contrast/milestones \ - -f title='${NEXT_MINOR}' \ + -f title="${NEXT_MINOR}" \ -f state='open' diff --git a/.gitignore b/.gitignore index 5f41de2ae2..3a5b3cc797 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ go.work.sum node_modules .docusaurus build/ +.worktree diff --git a/dev-docs/aks/nested-virt-internals.md b/dev-docs/aks/nested-virt-internals.md index e6cdf32763..c11f0b2508 100644 --- a/dev-docs/aks/nested-virt-internals.md +++ b/dev-docs/aks/nested-virt-internals.md @@ -155,12 +155,12 @@ This file is a serialization of [katautils.tomlConfig] and contains decent inlin option.
-Example of a useful drop-in fragment +Example of a drop-in fragment raising the default memory per VM ```sh cat >/opt/confidential-containers/share/defaults/kata-containers/config.d/10-memory.toml < @@ -173,9 +173,11 @@ EOF There's [AKS documentation for resource management] which explains the basics of how CPU and memory are allocated for a Kata VM. -The default memory allocation is quite high at 2GiB, which fills up the node fast. -It's unclear why this default is chosen, given that the container limit's added on top of this -value. Forcing a size with the pod annotation +The default memory overhead added by the `RuntimeClass` is quite high at 2GiB, which fills up the node fast. +It's unclear why this default is chosen, given that the container limit is added on top of this +value and that the VMs are created with a 256MiB overhead. + +Forcing a size with the pod annotation `io.katacontainers.config.hypervisor.default_memory` would be possible, but the annotation would need to be allow-listed in the config setting `enable_annotations`. @@ -186,7 +188,7 @@ need to be allow-listed in the config setting `enable_annotations`. ```toml [hypervisor.clh] -default_memory = 2048 # MiB! Minimum seems to be around 256. +default_memory = 256 default_vcpus = 1 enable_annotations = ["enable_iommu"] diff --git a/docs/docs/examples/emojivoto.md b/docs/docs/examples/emojivoto.md index 6e8429025e..47b48148e2 100644 --- a/docs/docs/examples/emojivoto.md +++ b/docs/docs/examples/emojivoto.md @@ -138,8 +138,6 @@ to the workloads using the Coordinator's `mesh-root.pem` as a trusted CA certifi To access the web frontend, expose the service on a public IP address via a LoadBalancer service: ```sh -kubectl patch svc web-svc -p '{"spec": {"type": "LoadBalancer"}}' -timeout 30s bash -c 'until kubectl get service/web-svc --output=jsonpath='{.status.loadBalancer}' | grep "ingress"; do sleep 2 ; done' frontendIP=$(kubectl get svc web-svc -o=jsonpath='{.status.loadBalancer.ingress[0].ip}') echo "Frontend is available at https://$frontendIP, you can visit it in your browser." ``` diff --git a/docs/docs/getting-started/cluster-setup.md b/docs/docs/getting-started/cluster-setup.md index 6f3643d8c8..94dd248f2c 100644 --- a/docs/docs/getting-started/cluster-setup.md +++ b/docs/docs/getting-started/cluster-setup.md @@ -144,8 +144,7 @@ In case you've created a new resource group, you can just delete that group with ```sh az group delete \ - --name "$azResourceGroup" \ - --location "$azLocation" + --name "$azResourceGroup" ``` Deleting the resource group will also delete the cluster and all other related resources. diff --git a/docs/versioned_docs/version-0.5.0/examples/emojivoto.md b/docs/versioned_docs/version-0.5.0/examples/emojivoto.md index 04444d1471..863b213519 100644 --- a/docs/versioned_docs/version-0.5.0/examples/emojivoto.md +++ b/docs/versioned_docs/version-0.5.0/examples/emojivoto.md @@ -138,8 +138,6 @@ to the workloads using the Coordinator's `mesh-root.pem` as a trusted CA certifi To access the web frontend, expose the service on a public IP address via a LoadBalancer service: ```sh -kubectl patch svc web-svc -p '{"spec": {"type": "LoadBalancer"}}' -timeout 30s bash -c 'until kubectl get service/web-svc --output=jsonpath='{.status.loadBalancer}' | grep "ingress"; do sleep 2 ; done' frontendIP=$(kubectl get svc web-svc -o=jsonpath='{.status.loadBalancer.ingress[0].ip}') echo "Frontend is available at https://$frontendIP, you can visit it in your browser." ``` diff --git a/docs/versioned_docs/version-0.5.0/getting-started/cluster-setup.md b/docs/versioned_docs/version-0.5.0/getting-started/cluster-setup.md index 6f3643d8c8..94dd248f2c 100644 --- a/docs/versioned_docs/version-0.5.0/getting-started/cluster-setup.md +++ b/docs/versioned_docs/version-0.5.0/getting-started/cluster-setup.md @@ -144,8 +144,7 @@ In case you've created a new resource group, you can just delete that group with ```sh az group delete \ - --name "$azResourceGroup" \ - --location "$azLocation" + --name "$azResourceGroup" ``` Deleting the resource group will also delete the cluster and all other related resources. diff --git a/e2e/internal/kubeclient/deploy.go b/e2e/internal/kubeclient/deploy.go index 1f8a628a6d..101869c3e5 100644 --- a/e2e/internal/kubeclient/deploy.go +++ b/e2e/internal/kubeclient/deploy.go @@ -84,20 +84,21 @@ func (c *Kubeclient) WaitForDeployment(ctx context.Context, namespace, name stri if ctx.Err() != context.DeadlineExceeded { return ctx.Err() } + ctxErr := ctx.Err() // Fetch and print debug information. ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() pods, err := c.PodsFromDeployment(ctx, namespace, name) //nolint:contextcheck // The parent context expired. if err != nil { logger.Error("could not fetch pods for deployment", "name", name, "error", err) - return ctx.Err() + return ctxErr } for _, pod := range pods { if !isPodReady(&pod) { logger.Debug("pod not ready", "name", pod.Name, "status", c.toJSON(pod.Status)) } } - return ctx.Err() + return ctxErr } } } diff --git a/e2e/internal/kuberesource/parts.go b/e2e/internal/kuberesource/parts.go index 77a50127bb..9430433392 100644 --- a/e2e/internal/kuberesource/parts.go +++ b/e2e/internal/kuberesource/parts.go @@ -18,7 +18,7 @@ func ContrastRuntimeClass() *RuntimeClassConfig { r := RuntimeClass(runtimeHandler). WithHandler(runtimeHandler). WithLabels(map[string]string{"addonmanager.kubernetes.io/mode": "Reconcile"}). - WithOverhead(Overhead(corev1.ResourceList{"memory": resource.MustParse("2Gi")})). + WithOverhead(Overhead(corev1.ResourceList{"memory": resource.MustParse("1152Mi")})). WithScheduling(Scheduling(map[string]string{"kubernetes.azure.com/kata-cc-isolation": "true"})) return &RuntimeClassConfig{r} diff --git a/e2e/internal/kuberesource/resourcegen/main.go b/e2e/internal/kuberesource/resourcegen/main.go index f6e0b8e79f..7ce5d6b3d1 100644 --- a/e2e/internal/kuberesource/resourcegen/main.go +++ b/e2e/internal/kuberesource/resourcegen/main.go @@ -44,7 +44,7 @@ func main() { case "openssl": resources, err = kuberesource.OpenSSL() case "emojivoto": - resources, err = kuberesource.Emojivoto() + resources, err = kuberesource.Emojivoto(kuberesource.ServiceMeshDisabled) default: fmt.Printf("Error: unknown set: %s\n", set) os.Exit(1) diff --git a/e2e/servicemesh/servicemesh_test.go b/e2e/servicemesh/servicemesh_test.go index 21d940f956..f3371eadf3 100644 --- a/e2e/servicemesh/servicemesh_test.go +++ b/e2e/servicemesh/servicemesh_test.go @@ -30,9 +30,13 @@ var imageReplacements map[string]string func TestIngressEgress(t *testing.T) { ct := contrasttest.New(t, imageReplacements) - resources, err := kuberesource.EmojivotoIngressEgress() + resources, err := kuberesource.Emojivoto(kuberesource.ServiceMeshIngressEgress) require.NoError(t, err) + coordinator := kuberesource.Coordinator("").DeploymentApplyConfiguration + coordinatorService := kuberesource.ServiceForDeployment(coordinator) + resources = append(resources, coordinator, coordinatorService) + ct.Init(t, resources) require.True(t, t.Run("generate", ct.Generate), "contrast generate needs to succeed for subsequent tests") diff --git a/go.work b/go.work index e3971c83b7..14a8ad335e 100644 --- a/go.work +++ b/go.work @@ -1,7 +1,9 @@ -go 1.21 +go 1.22.0 + +toolchain go1.22.2 use ( . - ./service-mesh ./node-installer + ./service-mesh ) diff --git a/internal/attestation/snp/issuer.go b/internal/attestation/snp/issuer.go index 6c70d09765..387e9e1cd3 100644 --- a/internal/attestation/snp/issuer.go +++ b/internal/attestation/snp/issuer.go @@ -71,14 +71,16 @@ func (i *Issuer) Issue(_ context.Context, ownPublicKey []byte, nonce []byte) (re i.logger.Info("Retrieved report", "reportRaw", hex.EncodeToString(reportRaw)) // Get cert chain from THIM + var certChain *spb.CertificateChain thimRaw, err := i.thimGetter.GetCertification() if err != nil { - return nil, fmt.Errorf("issuer: getting cert chain from THIM: %w", err) - } - i.logger.Info("Retrieved THIM certification", "thim", thimRaw) - certChain, err := thimRaw.Proto() - if err != nil { - return nil, fmt.Errorf("issuer: converting THIM cert chain: %w", err) + i.logger.Info("Could not retrieve THIM certification", "error", err) + } else { + i.logger.Info("Retrieved THIM certification", "thim", thimRaw) + certChain, err = thimRaw.Proto() + if err != nil { + return nil, fmt.Errorf("issuer: converting THIM cert chain: %w", err) + } } // Get SNP product info from cpuid