Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

ci: keep embedded measurements if stable image is used (#2109)

Browse Source 
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
Co-authored-by: Malte Poll <mp@edgeless.systems>
This commit is contained in:
Moritz Sanft 2023-08-04 09:43:32 +02:00 committed by GitHub
parent d71422667e
commit af05e17f49
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 18 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
.github/actions/constellation_create/action.yml vendored
View File

@ -26,12 +26,12 @@ inputs:
artifactNameSuffix: artifactNameSuffix:
description: "Suffix for artifact naming." description: "Suffix for artifact naming."
required: true required: true
keepMeasurements:
default: "false"
description: "Keep measurements embedded in the CLI."
existingConfig: existingConfig:
default: "false" default: "false"
description: "Use existing config file." description: "Use existing config file."
fetchMeasurements:
default: "false"
description: "Update measurements via the 'constellation config fetch-measurements' command."
# #
# GCP specific inputs # GCP specific inputs
# #
@ -115,53 +115,6 @@ runs:
yq eval -i "(.kubernetesVersion) = \"${{ inputs.kubernetesVersion }}\"" constellation-conf.yaml yq eval -i "(.kubernetesVersion) = \"${{ inputs.kubernetesVersion }}\"" constellation-conf.yaml
fi fi
- name: Remove embedded measurements
if: inputs.keepMeasurements == 'false'
shell: bash
run: |
if [[ $(yq '.version' constellation-conf.yaml) == "v2" ]]
then
yq eval -i \
"(.provider | select(. | has(\"aws\")).aws.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
constellation-conf.yaml
yq eval -i \
"(.provider | select(. | has(\"azure\")).azure.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
constellation-conf.yaml
yq eval -i \
"(.provider | select(. | has(\"gcp\")).gcp.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}"\
constellation-conf.yaml
yq eval -i \
"(.provider | select(. | has(\"qemu\")).qemu.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
constellation-conf.yaml
else
yq eval -i \
"(.attestation | select(. | has(\"awsNitroTPM\")).awsNitroTPM.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
constellation-conf.yaml
yq eval -i \
"(.attestation | select(. | has(\"awsSEVSNP\")).awsSEVSNP.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
constellation-conf.yaml
yq eval -i \
"(.attestation | select(. | has(\"azureSEVSNP\")).azureSEVSNP.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
constellation-conf.yaml
yq eval -i \
"(.attestation | select(. | has(\"azureTrustedLaunch\")).azureTrustedLaunch.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
constellation-conf.yaml
yq eval -i \
"(.attestation | select(. | has(\"gcpSEVES\")).gcpSEVES.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}"\
constellation-conf.yaml
yq eval -i \
"(.attestation | select(. | has(\"qemuVTPM\")).qemuVTPM.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
constellation-conf.yaml
fi
- name: Set image - name: Set image
id: setImage id: setImage
shell: bash shell: bash
@ -178,6 +131,12 @@ runs:
yq eval -i "(.image) = \"${imageInput}\"" constellation-conf.yaml yq eval -i "(.image) = \"${imageInput}\"" constellation-conf.yaml
echo "image=${imageInput}" | tee -a "$GITHUB_OUTPUT" echo "image=${imageInput}" | tee -a "$GITHUB_OUTPUT"
- name: Update measurements for non-stable images
if: inputs.fetchMeasurements
shell: bash
run: |
constellation config fetch-measurements --debug --insecure
- name: Set instanceType - name: Set instanceType
if: inputs.machineType && inputs.machineType != 'default' if: inputs.machineType && inputs.machineType != 'default'
shell: bash shell: bash

8
.github/actions/e2e_test/action.yml vendored
View File

@ -29,9 +29,6 @@ inputs:
kubernetesVersion: kubernetesVersion:
description: "Kubernetes version to create the cluster from." description: "Kubernetes version to create the cluster from."
required: false required: false
keepMeasurements:
default: "false"
description: "Keep measurements embedded in the CLI."
gcpProject: gcpProject:
description: "The GCP project to deploy Constellation in." description: "The GCP project to deploy Constellation in."
required: false required: false
@ -74,6 +71,9 @@ inputs:
githubToken: githubToken:
description: "GitHub authorization token" description: "GitHub authorization token"
required: true required: true
fetchMeasurements:
default: "false"
description: "Update measurements via the 'constellation config fetch-measurements' command."
outputs: outputs:
kubeconfig: kubeconfig:
@ -237,9 +237,9 @@ runs:
osImage: ${{ inputs.osImage }} osImage: ${{ inputs.osImage }}
isDebugImage: ${{ inputs.isDebugImage }} isDebugImage: ${{ inputs.isDebugImage }}
kubernetesVersion: ${{ inputs.kubernetesVersion }} kubernetesVersion: ${{ inputs.kubernetesVersion }}
keepMeasurements: ${{ inputs.keepMeasurements }}
existingConfig: ${{ steps.constellation-iam-create.outputs.existingConfig }} existingConfig: ${{ steps.constellation-iam-create.outputs.existingConfig }}
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }} artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
fetchMeasurements: ${{ inputs.fetchMeasurements }}
# #
# Test payloads # Test payloads

1
.github/workflows/e2e-test-daily.yml vendored
View File

@ -84,6 +84,7 @@ jobs:
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
registry: ghcr.io registry: ghcr.io
githubToken: ${{ secrets.GITHUB_TOKEN }} githubToken: ${{ secrets.GITHUB_TOKEN }}
fetchMeasurements: ${{ matrix.refStream != 'ref/release/stream/stable/?' }}
- name: Always terminate cluster - name: Always terminate cluster
if: always() if: always()

11
.github/workflows/e2e-test-manual.yml vendored
View File

@ -40,11 +40,6 @@ on:
description: "Kubernetes version to create the cluster from." description: "Kubernetes version to create the cluster from."
default: "1.26" default: "1.26"
required: true required: true
keepMeasurements:
description: "Keep measurements embedded in the CLI."
type: boolean
default: false
required: false
cliVersion: cliVersion:
description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref." description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
type: string type: string
@ -87,10 +82,6 @@ on:
description: "Kubernetes version to create the cluster from." description: "Kubernetes version to create the cluster from."
type: string type: string
required: true required: true
keepMeasurements:
description: "Keep measurements embedded in the CLI."
type: boolean
required: true
cliVersion: cliVersion:
description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref." description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
type: string type: string
@ -247,7 +238,6 @@ jobs:
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: ${{ inputs.test }} test: ${{ inputs.test }}
kubernetesVersion: ${{ inputs.kubernetesVersion }} kubernetesVersion: ${{ inputs.kubernetesVersion }}
keepMeasurements: ${{ inputs.keepMeasurements }}
awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }} awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
@ -259,6 +249,7 @@ jobs:
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
registry: ghcr.io registry: ghcr.io
githubToken: ${{ secrets.GITHUB_TOKEN }} githubToken: ${{ secrets.GITHUB_TOKEN }}
fetchMeasurements: ${{ contains(needs.find-latest-image.outputs.image, '/stream/stable/') }}
- name: Always terminate cluster - name: Always terminate cluster
if: always() if: always()

2
.github/workflows/e2e-test-release.yml vendored
View File

@ -189,7 +189,6 @@ jobs:
cloudProvider: ${{ matrix.provider }} cloudProvider: ${{ matrix.provider }}
cliVersion: "" cliVersion: ""
kubernetesVersion: ${{ matrix.kubernetes-version }} kubernetesVersion: ${{ matrix.kubernetes-version }}
keepMeasurements: "true"
osImage: "" osImage: ""
isDebugImage: "false" isDebugImage: "false"
awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }} awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
@ -205,7 +204,6 @@ jobs:
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
registry: ghcr.io registry: ghcr.io
githubToken: ${{ secrets.GITHUB_TOKEN }} githubToken: ${{ secrets.GITHUB_TOKEN }}
- name: Always terminate cluster - name: Always terminate cluster
if: always() if: always()
uses: ./.github/actions/constellation_destroy uses: ./.github/actions/constellation_destroy

1
.github/workflows/e2e-test-weekly.yml vendored
View File

@ -207,6 +207,7 @@ jobs:
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }} azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
registry: ghcr.io registry: ghcr.io
githubToken: ${{ secrets.GITHUB_TOKEN }} githubToken: ${{ secrets.GITHUB_TOKEN }}
fetchMeasurements: ${{ matrix.refStream != 'ref/release/stream/stable/?' }}
- name: Always terminate cluster - name: Always terminate cluster
if: always() if: always()

1
cli/internal/cmd/configfetchmeasurements.go
View File

@ -164,6 +164,7 @@ func (cfm *configFetchMeasurementsCmd) configFetchMeasurements(
cfm.log.Debugf("Verified measurements with Rekor") cfm.log.Debugf("Verified measurements with Rekor")
} }
cfm.log.Debugf("Measurements:\n", fetchedMeasurements)
cfm.log.Debugf("Updating measurements in configuration") cfm.log.Debugf("Updating measurements in configuration")
conf.UpdateMeasurements(fetchedMeasurements) conf.UpdateMeasurements(fetchedMeasurements)