Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changes to migrate to new TUF repository #23588

Merged
merged 26 commits into from
Jan 10, 2025
Merged

Changes to migrate to new TUF repository #23588

merged 26 commits into from
Jan 10, 2025

Conversation

lucasmrod
Copy link
Member

@lucasmrod lucasmrod commented Nov 6, 2024
edited
Loading

Changes

  • orbit >= 1.38.0, when configured to connect to https://tuf.fleetctl.com (existing fleetd deployments) will now connect to https://updates.fleetdm.com and start using the metadata in path /opt/orbit/updates-metadata.json.
  • orbit >= 1.38.0, when configured to connect to some custom TUF (not Fleet's TUFs) will copy /opt/orbit/tuf-metadata.json to /opt/orbit/updates-metadata.json (if it doesn't exist) and start using the latter.
  • fleetctl 4.63.0 will now generate artifacts using https://updates.fleetdm.com by default (or a custom TUF if --update-url is set) and generate two (same file) metadata files /opt/orbit/updates-metadata.json and the legacy one to support downgrades /opt/orbit/tuf-metadata.json.
  • fleetctl 4.62.0 when configured to use custom TUF (not Fleet's TUF) will generate just the legacy metadata file /opt/orbit/tuf-metadata.json.

User stories

See "User stories" in https://github.com/fleetdm/confidential/issues/8488.

  • Update update.defaultRootMetadata and update.DefaultURL when the new repository is ready.
  • Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
    See Changes files for more information.
  • Added/updated tests
  • Manual QA for all new/changed functionality
  • For Orbit and Fleet Desktop changes:
    • Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (runtime.GOOS).
    • Manual QA must be performed in the three main OSs, macOS, Windows and Linux.
    • Auto-update manual QA, from released version of component to new version (see tools/tuf/test).

@lucasmrod lucasmrod requested a review from a team as a code owner November 6, 2024 18:33
@codecov Codecov
Copy link

codecov bot commented Nov 6, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 12.86550% with 149 lines in your changes missing coverage. Please review.

Project coverage is 63.75%. Comparing base (d079b63) to head (aec9d3c).
Report is 64 commits behind head on main.

Files with missing lines Patch % Lines
orbit/pkg/update/update.go 16.66% 87 Missing and 3 partials ⚠️
orbit/cmd/orbit/orbit.go 0.00% 42 Missing ⚠️
orbit/pkg/update/runner.go 0.00% 11 Missing and 1 partial ⚠️
orbit/pkg/packaging/packaging.go 50.00% 2 Missing and 1 partial ⚠️
cmd/fleetctl/preview.go 0.00% 1 Missing ⚠️
orbit/cmd/orbit/shell.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #23588      +/-   ##
==========================================
- Coverage   63.84%   63.75%   -0.10%     
==========================================
  Files        1616     1618       +2     
  Lines      153829   154316     +487     
  Branches     4026     4026              
==========================================
+ Hits        98218    98378     +160     
- Misses      47796    48112     +316     
- Partials     7815     7826      +11
Flag Coverage Δ
backend 64.61% <12.86%> (-0.11%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@lukeheath
Copy link
Member

Adding @getvictor as a reviewer so the MDM product group is in the loop on what's changing.

cc @georgekarrv

@lucasmrod
Copy link
Member Author

I'll convert to draft to attempt to iterate a safer migration and one that would allow rolling back to 1.35.0 if a customer/user wants to.

@lucasmrod lucasmrod marked this pull request as draft November 7, 2024 22:23
getvictor
getvictor previously approved these changes Nov 8, 2024
View reviewed changes
Copy link
Member

@getvictor getvictor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

orbit/tools/cleanup/cleanup_linux.sh Outdated Show resolved Hide resolved
zwass
zwass previously approved these changes Dec 10, 2024
View reviewed changes
Copy link
Member

@zwass zwass left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes lgtm! Let's remember this needs EXTENSIVE testing before going live. If there are issues we risk having to ask users to reinstall agent packages..

@lukeheath lukeheath marked this pull request as draft January 3, 2025 22:20
@lukeheath
Copy link
Member

Converting PR to draft until it's ready to merge.

@lucasmrod
Copy link
Member Author

lucasmrod commented Jan 7, 2025
edited
Loading

@zwass We added some changes to support the scenario where 1.38.0 needs an urgent fix (or customer wants to downgrade to 1.37.0) and endpoints cannot access https://updates.fleetdm.com.

To cover that scenario we added HasAccessToNewTUFServer, if it returns false then orbit 1.38.0+ will resort to communicating to the old TUF. Once HasAccessToNewTUFServer succeeds for the first time, then it will always communicate with the new TUF (by storing a /opt/orbit/new-tuf-checked file).

Please re-review this commit.

PS: Was left as draft to not affect our metrics.

@lukeheath lukeheath marked this pull request as ready for review January 7, 2025 21:26
@lukeheath
Copy link
Member

I'm setting this to "Ready for review" now that it's ready. Because it's so old it would be great to merge by Friday before we report KPIs :)

zwass
zwass reviewed Jan 8, 2025
View reviewed changes
Copy link
Member

@zwass zwass left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC the check for access to the new repo only happens while the old update URL is configured. Once the access is detected, the new update URL gets configured and the check stops happening. Is that right? If so it seems reasonable to me.

@lucasmrod
Copy link
Member Author

IIUC the check for access to the new repo only happens while the old update URL is configured. Once the access is detected, the new update URL gets configured and the check stops happening. Is that right? If so it seems reasonable to me.

Correct.

@lucasmrod lucasmrod requested a review from zwass January 10, 2025 15:41
getvictor
getvictor approved these changes Jan 10, 2025
View reviewed changes
Copy link
Member

@getvictor getvictor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lucasmrod lucasmrod merged commit 009f54b into main Jan 10, 2025
42 of 43 checks passed
@lucasmrod lucasmrod deleted the 8488-new-tuf-repository branch January 10, 2025 17:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@getvictor getvictor getvictor approved these changes

@lukeheath lukeheath lukeheath approved these changes

@georgekarrv georgekarrv Awaiting requested review from georgekarrv georgekarrv is a code owner

@sharon-fdm sharon-fdm Awaiting requested review from sharon-fdm sharon-fdm is a code owner

@zwass zwass Awaiting requested review from zwass

Assignees

@zwass zwass

@getvictor getvictor

@mostlikelee mostlikelee

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@lucasmrod @lukeheath @zwass @getvictor @mostlikelee