ci: keep embedded measurements if stable image is used (#2109)

Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Malte Poll <mp@edgeless.systems>
2025-03-25 16:18:23 -04:00 · 2023-08-04 09:43:32 +02:00 · 2023-08-04 09:43:32 +02:00 · af05e17f49
commit af05e17f49
parent d71422667e
7 changed files with 18 additions and 67 deletions
--- a/.github/actions/constellation_create/action.yml
+++ b/.github/actions/constellation_create/action.yml
@ -26,12 +26,12 @@ inputs:
  artifactNameSuffix:
    description: "Suffix for artifact naming."
    required: true
-  keepMeasurements:
-    default: "false"
-    description: "Keep measurements embedded in the CLI."
  existingConfig:
    default: "false"
    description: "Use existing config file."
+  fetchMeasurements:
+    default: "false"
+    description: "Update measurements via the 'constellation config fetch-measurements' command."
  #
  # GCP specific inputs
  #
@ -115,53 +115,6 @@ runs:
          yq eval -i "(.kubernetesVersion) = \"${{ inputs.kubernetesVersion }}\"" constellation-conf.yaml
        fi

-    - name: Remove embedded measurements
-      if: inputs.keepMeasurements == 'false'
-      shell: bash
-      run: |
-        if [[ $(yq '.version' constellation-conf.yaml) == "v2" ]]
-        then
-          yq eval -i \
-            "(.provider | select(. | has(\"aws\")).aws.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
-            constellation-conf.yaml
-
-          yq eval -i \
-            "(.provider | select(. | has(\"azure\")).azure.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
-            constellation-conf.yaml
-
-          yq eval -i \
-            "(.provider | select(. | has(\"gcp\")).gcp.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}"\
-            constellation-conf.yaml
-
-          yq eval -i \
-            "(.provider | select(. | has(\"qemu\")).qemu.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
-            constellation-conf.yaml
-        else
-          yq eval -i \
-            "(.attestation | select(. | has(\"awsNitroTPM\")).awsNitroTPM.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
-            constellation-conf.yaml
-
-          yq eval -i \
-            "(.attestation | select(. | has(\"awsSEVSNP\")).awsSEVSNP.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
-            constellation-conf.yaml
-
-          yq eval -i \
-            "(.attestation | select(. | has(\"azureSEVSNP\")).azureSEVSNP.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
-            constellation-conf.yaml
-
-          yq eval -i \
-            "(.attestation | select(. | has(\"azureTrustedLaunch\")).azureTrustedLaunch.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
-            constellation-conf.yaml
-
-          yq eval -i \
-            "(.attestation | select(. | has(\"gcpSEVES\")).gcpSEVES.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}"\
-            constellation-conf.yaml
-
-          yq eval -i \
-            "(.attestation | select(. | has(\"qemuVTPM\")).qemuVTPM.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
-            constellation-conf.yaml
-        fi
-
    - name: Set image
      id: setImage
      shell: bash
@ -178,6 +131,12 @@ runs:
        yq eval -i "(.image) = \"${imageInput}\"" constellation-conf.yaml
        echo "image=${imageInput}" | tee -a "$GITHUB_OUTPUT"

+    - name: Update measurements for non-stable images
+      if: inputs.fetchMeasurements
+      shell: bash
+      run: |
+        constellation config fetch-measurements --debug --insecure
+
    - name: Set instanceType
      if: inputs.machineType && inputs.machineType != 'default'
      shell: bash
--- a/.github/actions/e2e_test/action.yml
+++ b/.github/actions/e2e_test/action.yml
@ -29,9 +29,6 @@ inputs:
  kubernetesVersion:
    description: "Kubernetes version to create the cluster from."
    required: false
-  keepMeasurements:
-    default: "false"
-    description: "Keep measurements embedded in the CLI."
  gcpProject:
    description: "The GCP project to deploy Constellation in."
    required: false
@ -74,7 +71,10 @@ inputs:
  githubToken:
    description: "GitHub authorization token"
    required: true
-
+  fetchMeasurements:
+    default: "false"
+    description: "Update measurements via the 'constellation config fetch-measurements' command."
+    
 outputs:
  kubeconfig:
    description: "The kubeconfig for the cluster."
@ -237,9 +237,9 @@ runs:
        osImage: ${{ inputs.osImage }}
        isDebugImage: ${{ inputs.isDebugImage }}
        kubernetesVersion: ${{ inputs.kubernetesVersion }}
-        keepMeasurements: ${{ inputs.keepMeasurements }}
        existingConfig: ${{ steps.constellation-iam-create.outputs.existingConfig }}
        artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
+        fetchMeasurements: ${{ inputs.fetchMeasurements }}

    #
    # Test payloads
--- a/.github/workflows/e2e-test-daily.yml
+++ b/.github/workflows/e2e-test-daily.yml
@ -84,6 +84,7 @@ jobs:
          azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
          registry: ghcr.io
          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          fetchMeasurements: ${{ matrix.refStream != 'ref/release/stream/stable/?' }}

      - name: Always terminate cluster
        if: always()
--- a/.github/workflows/e2e-test-manual.yml
+++ b/.github/workflows/e2e-test-manual.yml
@ -40,11 +40,6 @@ on:
        description: "Kubernetes version to create the cluster from."
        default: "1.26"
        required: true
-      keepMeasurements:
-        description: "Keep measurements embedded in the CLI."
-        type: boolean
-        default: false
-        required: false
      cliVersion:
        description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
        type: string
@ -87,10 +82,6 @@ on:
        description: "Kubernetes version to create the cluster from."
        type: string
        required: true
-      keepMeasurements:
-        description: "Keep measurements embedded in the CLI."
-        type: boolean
-        required: true
      cliVersion:
        description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
        type: string
@ -247,7 +238,6 @@ jobs:
          gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
          test: ${{ inputs.test }}
          kubernetesVersion: ${{ inputs.kubernetesVersion }}
-          keepMeasurements: ${{ inputs.keepMeasurements }}
          awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
          awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
          awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
@ -259,6 +249,7 @@ jobs:
          azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
          registry: ghcr.io
          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          fetchMeasurements: ${{ contains(needs.find-latest-image.outputs.image, '/stream/stable/') }}

      - name: Always terminate cluster
        if: always()
--- a/.github/workflows/e2e-test-release.yml
+++ b/.github/workflows/e2e-test-release.yml
@ -189,7 +189,6 @@ jobs:
          cloudProvider: ${{ matrix.provider }}
          cliVersion: ""
          kubernetesVersion: ${{ matrix.kubernetes-version }}
-          keepMeasurements: "true"
          osImage: ""
          isDebugImage: "false"
          awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
@ -205,7 +204,6 @@ jobs:
          azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
          registry: ghcr.io
          githubToken: ${{ secrets.GITHUB_TOKEN }}
-
      - name: Always terminate cluster
        if: always()
        uses: ./.github/actions/constellation_destroy
--- a/.github/workflows/e2e-test-weekly.yml
+++ b/.github/workflows/e2e-test-weekly.yml
@ -207,6 +207,7 @@ jobs:
          azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
          registry: ghcr.io
          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          fetchMeasurements: ${{ matrix.refStream != 'ref/release/stream/stable/?' }}

      - name: Always terminate cluster
        if: always()
--- a/cli/internal/cmd/configfetchmeasurements.go
+++ b/cli/internal/cmd/configfetchmeasurements.go
@ -164,6 +164,7 @@ func (cfm *configFetchMeasurementsCmd) configFetchMeasurements(

 		cfm.log.Debugf("Verified measurements with Rekor")
 	}
+	cfm.log.Debugf("Measurements:\n", fetchedMeasurements)

 	cfm.log.Debugf("Updating measurements in configuration")
 	conf.UpdateMeasurements(fetchedMeasurements)