constellation/.github/actions/e2e_verify/action.yml

name: Constellation verify
description: "Verify a Constellation cluster."

inputs:
  osImage:
    description: "The OS image used in the cluster."
    required: true
  cloudProvider:
    description: "The cloud provider used in the cluster."
    required: true
  kubeconfig:
    description: "The kubeconfig file for the cluster."
    required: true
  cosignPassword:
    required: true
    description: "The password for the cosign private key."
  cosignPrivateKey:
    required: true
    description: "The cosign private key."

runs:
  using: "composite"
  steps:
    - name: Expand version path
      id: expand-version
      uses: ./.github/actions/shortname
      with:
        shortname: ${{ inputs.osImage }}

    - name: Constellation fetch measurements
      shell: bash
      run: |
        if [[ ${{ steps.expand-version.outputs.stream }} == "debug" ]]
        then
          constellation config fetch-measurements --insecure
        else
          constellation config fetch-measurements
        fi

    - name: Constellation verify
      shell: bash
      run: constellation verify --cluster-id $(yq -r ".clusterValues.clusterID" constellation-state.yaml)

    - name: Verify all nodes
      shell: bash
      env:
        KUBECONFIG: ${{ inputs.kubeconfig }}
      run: |
        clusterID=$(yq -r ".clusterValues.clusterID" constellation-state.yaml)
        nodes=$(kubectl get nodes -o json | jq -r ".items[].metadata.name")

        for node in $nodes ; do
          verificationPod=$(kubectl get pods --field-selector spec.nodeName=${node} -n kube-system | grep "verification-service" | cut -d' ' -f1)

          mapfile -t verificationPod <<< "$verificationPod"

          if [[ ${#verificationPod[@]} -ne 1 ]]; then
            echo "Expected 1 verification pod for node ${node}, found ${#verificationPodArray[@]}"
            exit 1
          fi

          echo "Verifying pod ${verificationPod} on node ${node}"

          kubectl wait -n kube-system "pod/${verificationPod}" --for=condition=ready --timeout=5m
          kubectl port-forward -n kube-system "pods/${verificationPod}"  9090:9090 &
          forwarderPID=$!
          sleep 5

          if [[ ${{ inputs.cloudProvider }} == "azure" ]]; then
            echo "Extracting Azure TCB versions for API update"
            constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "snp-report-${node}.json"
          else
            constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090
          fi

          kill $forwarderPID
        done

    - name: Login to AWS
      if: github.ref_name == 'main' && inputs.cloudProvider == 'azure'
      uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
        aws-region: eu-central-1

    - name: Upload extracted TCBs
      if: github.ref_name == 'main' && inputs.cloudProvider == 'azure'
      shell: bash
      env:
        COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
        COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
      run: |
        for file in $(ls snp-report-*.json); do
          path=$(realpath "${file}")
          cat "${path}"
          bazel run //internal/api/attestationconfigapi/cli -- --snp-report-path "${path}"
        done
AB2564 Add constellation verify e2e test (#875) 2023-01-09 02:54:41 -05:00			`name: Constellation verify`
			`description: "Verify a Constellation cluster."`

			`inputs:`
			`osImage:`
			`description: "The OS image used in the cluster."`
			`required: true`
			`cloudProvider:`
			`description: "The cloud provider used in the cluster."`
			`required: true`
ci: verify all pods in verify e2e Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-04 09:43:51 -04:00			`kubeconfig:`
			`description: "The kubeconfig file for the cluster."`
			`required: true`
e2e: upload TCB versions in verify test The TCP versions are extracted from the MAA token, that itself is taken from the verify command output. The configapi is adapted to directly work on the MAA claims JSON. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-09 12:58:46 -04:00			`cosignPassword:`
			`required: true`
			`description: "The password for the cosign private key."`
			`cosignPrivateKey:`
			`required: true`
			`description: "The cosign private key."`
AB2564 Add constellation verify e2e test (#875) 2023-01-09 02:54:41 -05:00
			`runs:`
			`using: "composite"`
			`steps:`
ci: add missing version expansion to verify test Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-03-21 12:35:07 -04:00			`- name: Expand version path`
			`id: expand-version`
			`uses: ./.github/actions/shortname`
			`with:`
			`shortname: ${{ inputs.osImage }}`

Add --insecure to config fetch-measurement (#1879) * cli: add --insecure to fetch-measurements * cli: rename fake to stub * ci: upload measurements for debug images * fix cli docs 2023-06-06 04:32:22 -04:00			`- name: Constellation fetch measurements`
Select attestation variant for verify test (#1755) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-12 05:06:49 -04:00			`shell: bash`
			`run: \|`
Add --insecure to config fetch-measurement (#1879) * cli: add --insecure to fetch-measurements * cli: rename fake to stub * ci: upload measurements for debug images * fix cli docs 2023-06-06 04:32:22 -04:00			`if [[ ${{ steps.expand-version.outputs.stream }} == "debug" ]]`
Select attestation variant for verify test (#1755) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-12 05:06:49 -04:00			`then`
Add --insecure to config fetch-measurement (#1879) * cli: add --insecure to fetch-measurements * cli: rename fake to stub * ci: upload measurements for debug images * fix cli docs 2023-06-06 04:32:22 -04:00			`constellation config fetch-measurements --insecure`
Select attestation variant for verify test (#1755) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-12 05:06:49 -04:00			`else`
Add --insecure to config fetch-measurement (#1879) * cli: add --insecure to fetch-measurements * cli: rename fake to stub * ci: upload measurements for debug images * fix cli docs 2023-06-06 04:32:22 -04:00			`constellation config fetch-measurements`
Select attestation variant for verify test (#1755) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-12 05:06:49 -04:00			`fi`
ci: unified order and style of workflows/actions Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-01-18 04:15:58 -05:00
AB2564 Add constellation verify e2e test (#875) 2023-01-09 02:54:41 -05:00			`- name: Constellation verify`
			`shell: bash`
ci: remove force flag from CLI commands (#2479) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-10-20 02:10:26 -04:00			`run: constellation verify --cluster-id $(yq -r ".clusterValues.clusterID" constellation-state.yaml)`
ci: verify all pods in verify e2e Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-04 09:43:51 -04:00
			`- name: Verify all nodes`
			`shell: bash`
			`env:`
			`KUBECONFIG: ${{ inputs.kubeconfig }}`
			`run: \|`
fix verify test (#2424) 2023-10-10 14:47:53 -04:00			`clusterID=$(yq -r ".clusterValues.clusterID" constellation-state.yaml)`
ci: verify all pods in verify e2e Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-04 09:43:51 -04:00			`nodes=$(kubectl get nodes -o json \| jq -r ".items[].metadata.name")`

			`for node in $nodes ; do`
			`verificationPod=$(kubectl get pods --field-selector spec.nodeName=${node} -n kube-system \| grep "verification-service" \| cut -d' ' -f1)`

			`mapfile -t verificationPod <<< "$verificationPod"`

			`if [[ ${#verificationPod[@]} -ne 1 ]]; then`
			`echo "Expected 1 verification pod for node ${node}, found ${#verificationPodArray[@]}"`
			`exit 1`
			`fi`

e2e: upload TCB versions in verify test The TCP versions are extracted from the MAA token, that itself is taken from the verify command output. The configapi is adapted to directly work on the MAA claims JSON. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-09 12:58:46 -04:00			`echo "Verifying pod ${verificationPod} on node ${node}"`
ci: verify all pods in verify e2e Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-04 09:43:51 -04:00
			`kubectl wait -n kube-system "pod/${verificationPod}" --for=condition=ready --timeout=5m`
			`kubectl port-forward -n kube-system "pods/${verificationPod}" 9090:9090 &`
			`forwarderPID=$!`
			`sleep 5`

api: for Azure attestationconfigapi use TCB values from SNP report instead of MAA token (#2429) 2023-10-17 11:36:50 -04:00			`if [[ ${{ inputs.cloudProvider }} == "azure" ]]; then`
			`echo "Extracting Azure TCB versions for API update"`
ci: remove force flag from CLI commands (#2479) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-10-20 02:10:26 -04:00			`constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "snp-report-${node}.json"`
api: for Azure attestationconfigapi use TCB values from SNP report instead of MAA token (#2429) 2023-10-17 11:36:50 -04:00			`else`
ci: remove force flag from CLI commands (#2479) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-10-20 02:10:26 -04:00			`constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090`
e2e: upload TCB versions in verify test The TCP versions are extracted from the MAA token, that itself is taken from the verify command output. The configapi is adapted to directly work on the MAA claims JSON. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-09 12:58:46 -04:00			`fi`

api: for Azure attestationconfigapi use TCB values from SNP report instead of MAA token (#2429) 2023-10-17 11:36:50 -04:00			`kill $forwarderPID`
e2e: upload TCB versions in verify test The TCP versions are extracted from the MAA token, that itself is taken from the verify command output. The configapi is adapted to directly work on the MAA claims JSON. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-09 12:58:46 -04:00			`done`

			`- name: Login to AWS`
			`if: github.ref_name == 'main' && inputs.cloudProvider == 'azure'`
			`uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0`
			`with:`
			`role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline`
			`aws-region: eu-central-1`

			`- name: Upload extracted TCBs`
			`if: github.ref_name == 'main' && inputs.cloudProvider == 'azure'`
			`shell: bash`
			`env:`
			`COSIGN_PASSWORD: ${{ inputs.cosignPassword }}`
			`COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}`
			`run: \|`
api: for Azure attestationconfigapi use TCB values from SNP report instead of MAA token (#2429) 2023-10-17 11:36:50 -04:00			`for file in $(ls snp-report-*.json); do`
e2e: upload TCB versions in verify test The TCP versions are extracted from the MAA token, that itself is taken from the verify command output. The configapi is adapted to directly work on the MAA claims JSON. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-09 12:58:46 -04:00			`path=$(realpath "${file}")`
			`cat "${path}"`
api: for Azure attestationconfigapi use TCB values from SNP report instead of MAA token (#2429) 2023-10-17 11:36:50 -04:00			`bazel run //internal/api/attestationconfigapi/cli -- --snp-report-path "${path}"`
ci: verify all pods in verify e2e Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-04 09:43:51 -04:00			`done`