constellation/.github/actions/e2e_verify/action.yml

name: Constellation verify
description: "Verify a Constellation cluster."

inputs:
  osImage:
    description: "The OS image used in the cluster."
    required: true
  attestationVariant:
    description: "The attestation variant used in the cluster."
    required: true
  kubeconfig:
    description: "The kubeconfig file for the cluster."
    required: true
  cosignPassword:
    required: true
    description: "The password for the cosign private key."
  cosignPrivateKey:
    required: true
    description: "The cosign private key."

runs:
  using: "composite"
  steps:
    - name: Expand version path
      id: expand-version
      uses: ./.github/actions/shortname
      with:
        shortname: ${{ inputs.osImage }}

    - name: Constellation fetch measurements
      shell: bash
      run: |
        if [[ ${{ steps.expand-version.outputs.stream }} == "debug" ]]
        then
          constellation config fetch-measurements --insecure
        else
          constellation config fetch-measurements
        fi

    - name: Constellation verify
      shell: bash
      run: constellation verify --cluster-id $(yq -r ".clusterValues.clusterID" constellation-state.yaml)

    - name: Verify all nodes
      shell: bash
      env:
        KUBECONFIG: ${{ inputs.kubeconfig }}
      run: |
        clusterID=$(yq -r ".clusterValues.clusterID" constellation-state.yaml)
        nodes=$(kubectl get nodes -o json | jq -r ".items[].metadata.name")

        for node in $nodes ; do
          verificationPod=$(kubectl get pods --field-selector spec.nodeName=${node} -n kube-system | grep "verification-service" | cut -d' ' -f1)

          mapfile -t verificationPod <<< "$verificationPod"

          if [[ ${#verificationPod[@]} -ne 1 ]]; then
            echo "Expected 1 verification pod for node ${node}, found ${#verificationPodArray[@]}"
            exit 1
          fi

          echo "Verifying pod ${verificationPod} on node ${node}"

          kubectl wait -n kube-system "pod/${verificationPod}" --for=condition=ready --timeout=5m
          kubectl port-forward -n kube-system "pods/${verificationPod}"  9090:9090 &
          forwarderPID=$!
          sleep 5

          # TODO(v2.15): Remove workaround since we don't need to support v2.13 anymore
          if [[ ${{ inputs.attestationVariant }} == "azure-sev-snp" ]] || { [[ ${{ inputs.attestationVariant }} == "aws-sev-snp" ]] && ! constellation version | grep -q "v2.13."; }; then
            echo "Extracting TCB versions for API update"
            constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "snp-report-${node}.json"
          else
            constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090
          fi

          kill $forwarderPID
        done

    - name: Login to AWS
      if: github.ref_name == 'main'
      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
        aws-region: eu-central-1

    - name: Upload extracted TCBs
      if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' || inputs.attestationVariant == 'aws-sev-snp')
      shell: bash
      env:
        COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
        COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
      run: |
        if [[ ${{ inputs.attestationVariant }} == "aws-sev-snp" ]] && constellation version | grep -q "v2.13."; then
          echo "Skipping TCB upload for AWS on CLI v2.13"
          exit 0
        fi

        reports=(snp-report-*.json)
        if [ -z ${#reports[@]} ]; then
            exit 1
        fi

        attestationVariant=${{ inputs.attestationVariant }}
        cloudProvider=${attestationVariant%%-*}

        for file in "${reports[@]}"; do
          path=$(realpath "${file}")
          cat "${path}"
          bazel run //internal/api/attestationconfigapi/cli -- upload "${cloudProvider}" snp-report "${path}"
        done
AB2564 Add constellation verify e2e test (#875) 2023-01-09 02:54:41 -05:00			`name: Constellation verify`
			`description: "Verify a Constellation cluster."`

			`inputs:`
			`osImage:`
			`description: "The OS image used in the cluster."`
			`required: true`
Allow starting e2e tests based on attestation variant instead of csp Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2024-01-25 09:32:19 -05:00			`attestationVariant:`
			`description: "The attestation variant used in the cluster."`
AB2564 Add constellation verify e2e test (#875) 2023-01-09 02:54:41 -05:00			`required: true`
ci: verify all pods in verify e2e Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-04 09:43:51 -04:00			`kubeconfig:`
			`description: "The kubeconfig file for the cluster."`
			`required: true`
e2e: upload TCB versions in verify test The TCP versions are extracted from the MAA token, that itself is taken from the verify command output. The configapi is adapted to directly work on the MAA claims JSON. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-09 12:58:46 -04:00			`cosignPassword:`
			`required: true`
			`description: "The password for the cosign private key."`
			`cosignPrivateKey:`
			`required: true`
			`description: "The cosign private key."`
AB2564 Add constellation verify e2e test (#875) 2023-01-09 02:54:41 -05:00
			`runs:`
			`using: "composite"`
			`steps:`
ci: add missing version expansion to verify test Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-03-21 12:35:07 -04:00			`- name: Expand version path`
			`id: expand-version`
			`uses: ./.github/actions/shortname`
			`with:`
			`shortname: ${{ inputs.osImage }}`

Add --insecure to config fetch-measurement (#1879) * cli: add --insecure to fetch-measurements * cli: rename fake to stub * ci: upload measurements for debug images * fix cli docs 2023-06-06 04:32:22 -04:00			`- name: Constellation fetch measurements`
Select attestation variant for verify test (#1755) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-12 05:06:49 -04:00			`shell: bash`
			`run: \|`
Add --insecure to config fetch-measurement (#1879) * cli: add --insecure to fetch-measurements * cli: rename fake to stub * ci: upload measurements for debug images * fix cli docs 2023-06-06 04:32:22 -04:00			`if [[ ${{ steps.expand-version.outputs.stream }} == "debug" ]]`
Select attestation variant for verify test (#1755) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-12 05:06:49 -04:00			`then`
Add --insecure to config fetch-measurement (#1879) * cli: add --insecure to fetch-measurements * cli: rename fake to stub * ci: upload measurements for debug images * fix cli docs 2023-06-06 04:32:22 -04:00			`constellation config fetch-measurements --insecure`
Select attestation variant for verify test (#1755) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-12 05:06:49 -04:00			`else`
Add --insecure to config fetch-measurement (#1879) * cli: add --insecure to fetch-measurements * cli: rename fake to stub * ci: upload measurements for debug images * fix cli docs 2023-06-06 04:32:22 -04:00			`constellation config fetch-measurements`
Select attestation variant for verify test (#1755) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-05-12 05:06:49 -04:00			`fi`
ci: unified order and style of workflows/actions Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-01-18 04:15:58 -05:00
AB2564 Add constellation verify e2e test (#875) 2023-01-09 02:54:41 -05:00			`- name: Constellation verify`
			`shell: bash`
ci: remove force flag from CLI commands (#2479) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-10-20 02:10:26 -04:00			`run: constellation verify --cluster-id $(yq -r ".clusterValues.clusterID" constellation-state.yaml)`
ci: verify all pods in verify e2e Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-04 09:43:51 -04:00
			`- name: Verify all nodes`
			`shell: bash`
			`env:`
			`KUBECONFIG: ${{ inputs.kubeconfig }}`
			`run: \|`
fix verify test (#2424) 2023-10-10 14:47:53 -04:00			`clusterID=$(yq -r ".clusterValues.clusterID" constellation-state.yaml)`
ci: verify all pods in verify e2e Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-04 09:43:51 -04:00			`nodes=$(kubectl get nodes -o json \| jq -r ".items[].metadata.name")`

			`for node in $nodes ; do`
			`verificationPod=$(kubectl get pods --field-selector spec.nodeName=${node} -n kube-system \| grep "verification-service" \| cut -d' ' -f1)`

			`mapfile -t verificationPod <<< "$verificationPod"`

			`if [[ ${#verificationPod[@]} -ne 1 ]]; then`
			`echo "Expected 1 verification pod for node ${node}, found ${#verificationPodArray[@]}"`
			`exit 1`
			`fi`

e2e: upload TCB versions in verify test The TCP versions are extracted from the MAA token, that itself is taken from the verify command output. The configapi is adapted to directly work on the MAA claims JSON. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-09 12:58:46 -04:00			`echo "Verifying pod ${verificationPod} on node ${node}"`
ci: verify all pods in verify e2e Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-04 09:43:51 -04:00
			`kubectl wait -n kube-system "pod/${verificationPod}" --for=condition=ready --timeout=5m`
			`kubectl port-forward -n kube-system "pods/${verificationPod}" 9090:9090 &`
			`forwarderPID=$!`
			`sleep 5`

ci: only run verify with JSON output on v2.14 or newer (#2649) * Only run verify with JSON output on v2.14 or newer * Dont upload TCB version for AWS on v2.13 * Remove workaround for CLI not yet support apply to initialize clusters --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-11-28 08:31:27 -05:00			`# TODO(v2.15): Remove workaround since we don't need to support v2.13 anymore`
Allow starting e2e tests based on attestation variant instead of csp Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2024-01-25 09:32:19 -05:00			`if [[ ${{ inputs.attestationVariant }} == "azure-sev-snp" ]] \|\| { [[ ${{ inputs.attestationVariant }} == "aws-sev-snp" ]] && ! constellation version \| grep -q "v2.13."; }; then`
ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`echo "Extracting TCB versions for API update"`
ci: remove force flag from CLI commands (#2479) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-10-20 02:10:26 -04:00			`constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "snp-report-${node}.json"`
api: for Azure attestationconfigapi use TCB values from SNP report instead of MAA token (#2429) 2023-10-17 11:36:50 -04:00			`else`
ci: remove force flag from CLI commands (#2479) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-10-20 02:10:26 -04:00			`constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090`
e2e: upload TCB versions in verify test The TCP versions are extracted from the MAA token, that itself is taken from the verify command output. The configapi is adapted to directly work on the MAA claims JSON. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-09 12:58:46 -04:00			`fi`

api: for Azure attestationconfigapi use TCB values from SNP report instead of MAA token (#2429) 2023-10-17 11:36:50 -04:00			`kill $forwarderPID`
e2e: upload TCB versions in verify test The TCP versions are extracted from the MAA token, that itself is taken from the verify command output. The configapi is adapted to directly work on the MAA claims JSON. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-09 12:58:46 -04:00			`done`

			`- name: Login to AWS`
ci: remove conditional from AWS login in e2e verify test (#2727) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-12-18 05:51:50 -05:00			`if: github.ref_name == 'main'`
deps: update aws-actions/configure-aws-credentials action to v4 (#2510) Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-10-26 02:18:37 -04:00			`uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1`
e2e: upload TCB versions in verify test The TCP versions are extracted from the MAA token, that itself is taken from the verify command output. The configapi is adapted to directly work on the MAA claims JSON. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-09 12:58:46 -04:00			`with:`
			`role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline`
			`aws-region: eu-central-1`

			`- name: Upload extracted TCBs`
Allow starting e2e tests based on attestation variant instead of csp Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2024-01-25 09:32:19 -05:00			`if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' \|\| inputs.attestationVariant == 'aws-sev-snp')`
e2e: upload TCB versions in verify test The TCP versions are extracted from the MAA token, that itself is taken from the verify command output. The configapi is adapted to directly work on the MAA claims JSON. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-09 12:58:46 -04:00			`shell: bash`
			`env:`
			`COSIGN_PASSWORD: ${{ inputs.cosignPassword }}`
			`COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}`
			`run: \|`
Allow starting e2e tests based on attestation variant instead of csp Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2024-01-25 09:32:19 -05:00			`if [[ ${{ inputs.attestationVariant }} == "aws-sev-snp" ]] && constellation version \| grep -q "v2.13."; then`
ci: only run verify with JSON output on v2.14 or newer (#2649) * Only run verify with JSON output on v2.14 or newer * Dont upload TCB version for AWS on v2.13 * Remove workaround for CLI not yet support apply to initialize clusters --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2023-11-28 08:31:27 -05:00			`echo "Skipping TCB upload for AWS on CLI v2.13"`
			`exit 0`
			`fi`

ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`reports=(snp-report-*.json)`
			`if [ -z ${#reports[@]} ]; then`
			`exit 1`
			`fi`

Allow starting e2e tests based on attestation variant instead of csp Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2024-01-25 09:32:19 -05:00			`attestationVariant=${{ inputs.attestationVariant }}`
			`cloudProvider=${attestationVariant%%-*}`

ci: call TCB upload step for AWS 2023-11-14 07:25:52 -05:00			`for file in "${reports[@]}"; do`
e2e: upload TCB versions in verify test The TCP versions are extracted from the MAA token, that itself is taken from the verify command output. The configapi is adapted to directly work on the MAA claims JSON. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-09 12:58:46 -04:00			`path=$(realpath "${file}")`
			`cat "${path}"`
Allow starting e2e tests based on attestation variant instead of csp Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2024-01-25 09:32:19 -05:00			`bazel run //internal/api/attestationconfigapi/cli -- upload "${cloudProvider}" snp-report "${path}"`
ci: verify all pods in verify e2e Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> 2023-08-04 09:43:51 -04:00			`done`