2023-01-09 02:54:41 -05:00
|
|
|
name: Constellation verify
|
|
|
|
description: "Verify a Constellation cluster."
|
|
|
|
|
|
|
|
inputs:
|
|
|
|
osImage:
|
|
|
|
description: "The OS image used in the cluster."
|
|
|
|
required: true
|
2024-01-25 09:32:19 -05:00
|
|
|
attestationVariant:
|
|
|
|
description: "The attestation variant used in the cluster."
|
2023-01-09 02:54:41 -05:00
|
|
|
required: true
|
2023-08-04 09:43:51 -04:00
|
|
|
kubeconfig:
|
|
|
|
description: "The kubeconfig file for the cluster."
|
|
|
|
required: true
|
2023-08-09 12:58:46 -04:00
|
|
|
cosignPassword:
|
|
|
|
required: true
|
|
|
|
description: "The password for the cosign private key."
|
|
|
|
cosignPrivateKey:
|
|
|
|
required: true
|
|
|
|
description: "The cosign private key."
|
2023-01-09 02:54:41 -05:00
|
|
|
|
|
|
|
runs:
|
|
|
|
using: "composite"
|
|
|
|
steps:
|
2023-03-21 12:35:07 -04:00
|
|
|
- name: Expand version path
|
|
|
|
id: expand-version
|
|
|
|
uses: ./.github/actions/shortname
|
|
|
|
with:
|
|
|
|
shortname: ${{ inputs.osImage }}
|
|
|
|
|
2023-06-06 04:32:22 -04:00
|
|
|
- name: Constellation fetch measurements
|
2023-05-12 05:06:49 -04:00
|
|
|
shell: bash
|
|
|
|
run: |
|
2023-06-06 04:32:22 -04:00
|
|
|
if [[ ${{ steps.expand-version.outputs.stream }} == "debug" ]]
|
2023-05-12 05:06:49 -04:00
|
|
|
then
|
2023-06-06 04:32:22 -04:00
|
|
|
constellation config fetch-measurements --insecure
|
2023-05-12 05:06:49 -04:00
|
|
|
else
|
2023-06-06 04:32:22 -04:00
|
|
|
constellation config fetch-measurements
|
2023-05-12 05:06:49 -04:00
|
|
|
fi
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2023-01-09 02:54:41 -05:00
|
|
|
- name: Constellation verify
|
|
|
|
shell: bash
|
2023-10-20 02:10:26 -04:00
|
|
|
run: constellation verify --cluster-id $(yq -r ".clusterValues.clusterID" constellation-state.yaml)
|
2023-08-04 09:43:51 -04:00
|
|
|
|
|
|
|
- name: Verify all nodes
|
|
|
|
shell: bash
|
|
|
|
env:
|
|
|
|
KUBECONFIG: ${{ inputs.kubeconfig }}
|
|
|
|
run: |
|
2023-10-10 14:47:53 -04:00
|
|
|
clusterID=$(yq -r ".clusterValues.clusterID" constellation-state.yaml)
|
2023-08-04 09:43:51 -04:00
|
|
|
nodes=$(kubectl get nodes -o json | jq -r ".items[].metadata.name")
|
|
|
|
|
|
|
|
for node in $nodes ; do
|
|
|
|
verificationPod=$(kubectl get pods --field-selector spec.nodeName=${node} -n kube-system | grep "verification-service" | cut -d' ' -f1)
|
|
|
|
|
|
|
|
mapfile -t verificationPod <<< "$verificationPod"
|
|
|
|
|
|
|
|
if [[ ${#verificationPod[@]} -ne 1 ]]; then
|
|
|
|
echo "Expected 1 verification pod for node ${node}, found ${#verificationPodArray[@]}"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2023-08-09 12:58:46 -04:00
|
|
|
echo "Verifying pod ${verificationPod} on node ${node}"
|
2023-08-04 09:43:51 -04:00
|
|
|
|
|
|
|
kubectl wait -n kube-system "pod/${verificationPod}" --for=condition=ready --timeout=5m
|
|
|
|
kubectl port-forward -n kube-system "pods/${verificationPod}" 9090:9090 &
|
|
|
|
forwarderPID=$!
|
|
|
|
sleep 5
|
|
|
|
|
2024-01-31 10:45:20 -05:00
|
|
|
if [[ ${{ inputs.attestationVariant }} == "azure-sev-snp" ]] || [[ ${{ inputs.attestationVariant }} == "aws-sev-snp" ]]; then
|
2023-11-14 07:25:52 -05:00
|
|
|
echo "Extracting TCB versions for API update"
|
2023-10-20 02:10:26 -04:00
|
|
|
constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "snp-report-${node}.json"
|
2023-10-17 11:36:50 -04:00
|
|
|
else
|
2023-10-20 02:10:26 -04:00
|
|
|
constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090
|
2023-08-09 12:58:46 -04:00
|
|
|
fi
|
|
|
|
|
2023-10-17 11:36:50 -04:00
|
|
|
kill $forwarderPID
|
2023-08-09 12:58:46 -04:00
|
|
|
done
|
|
|
|
|
|
|
|
- name: Login to AWS
|
2023-12-18 05:51:50 -05:00
|
|
|
if: github.ref_name == 'main'
|
2024-02-21 09:29:06 -05:00
|
|
|
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
2023-08-09 12:58:46 -04:00
|
|
|
with:
|
|
|
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
|
|
|
aws-region: eu-central-1
|
|
|
|
|
|
|
|
- name: Upload extracted TCBs
|
2024-01-25 09:32:19 -05:00
|
|
|
if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' || inputs.attestationVariant == 'aws-sev-snp')
|
2023-08-09 12:58:46 -04:00
|
|
|
shell: bash
|
|
|
|
env:
|
|
|
|
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
|
|
|
|
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
|
|
|
|
run: |
|
2024-01-25 09:32:19 -05:00
|
|
|
if [[ ${{ inputs.attestationVariant }} == "aws-sev-snp" ]] && constellation version | grep -q "v2.13."; then
|
2023-11-28 08:31:27 -05:00
|
|
|
echo "Skipping TCB upload for AWS on CLI v2.13"
|
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
|
2023-11-14 07:25:52 -05:00
|
|
|
reports=(snp-report-*.json)
|
|
|
|
if [ -z ${#reports[@]} ]; then
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2024-01-25 09:32:19 -05:00
|
|
|
attestationVariant=${{ inputs.attestationVariant }}
|
|
|
|
cloudProvider=${attestationVariant%%-*}
|
|
|
|
|
2023-11-14 07:25:52 -05:00
|
|
|
for file in "${reports[@]}"; do
|
2023-08-09 12:58:46 -04:00
|
|
|
path=$(realpath "${file}")
|
|
|
|
cat "${path}"
|
2024-01-25 09:32:19 -05:00
|
|
|
bazel run //internal/api/attestationconfigapi/cli -- upload "${cloudProvider}" snp-report "${path}"
|
2023-08-04 09:43:51 -04:00
|
|
|
done
|