mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-25 14:56:18 -05:00
Image upload AWS
This commit is contained in:
parent
0c297f7b10
commit
b57b25fdaa
72
.github/workflows/build-os-image.yml
vendored
72
.github/workflows/build-os-image.yml
vendored
@ -64,33 +64,41 @@ jobs:
|
|||||||
# TODO: flatten outputs once possible
|
# TODO: flatten outputs once possible
|
||||||
# https://github.com/community/community/discussions/17245
|
# https://github.com/community/community/discussions/17245
|
||||||
outputs:
|
outputs:
|
||||||
|
image-raw-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-aws-sha256 }}
|
||||||
image-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-azure-sha256 }}
|
image-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-azure-sha256 }}
|
||||||
image-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-gcp-sha256 }}
|
image-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-gcp-sha256 }}
|
||||||
image-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-qemu-sha256 }}
|
image-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-qemu-sha256 }}
|
||||||
|
image-efi-aws-sha256: ${{ steps.collect-hashes.outputs.image-efi-aws-sha256 }}
|
||||||
image-efi-azure-sha256: ${{ steps.collect-hashes.outputs.image-efi-azure-sha256 }}
|
image-efi-azure-sha256: ${{ steps.collect-hashes.outputs.image-efi-azure-sha256 }}
|
||||||
image-efi-gcp-sha256: ${{ steps.collect-hashes.outputs.image-efi-gcp-sha256 }}
|
image-efi-gcp-sha256: ${{ steps.collect-hashes.outputs.image-efi-gcp-sha256 }}
|
||||||
image-efi-qemu-sha256: ${{ steps.collect-hashes.outputs.image-efi-qemu-sha256 }}
|
image-efi-qemu-sha256: ${{ steps.collect-hashes.outputs.image-efi-qemu-sha256 }}
|
||||||
|
image-initrd-aws-sha256: ${{ steps.collect-hashes.outputs.image-initrd-aws-sha256 }}
|
||||||
image-initrd-azure-sha256: ${{ steps.collect-hashes.outputs.image-initrd-azure-sha256 }}
|
image-initrd-azure-sha256: ${{ steps.collect-hashes.outputs.image-initrd-azure-sha256 }}
|
||||||
image-initrd-gcp-sha256: ${{ steps.collect-hashes.outputs.image-initrd-gcp-sha256 }}
|
image-initrd-gcp-sha256: ${{ steps.collect-hashes.outputs.image-initrd-gcp-sha256 }}
|
||||||
image-initrd-qemu-sha256: ${{ steps.collect-hashes.outputs.image-initrd-qemu-sha256 }}
|
image-initrd-qemu-sha256: ${{ steps.collect-hashes.outputs.image-initrd-qemu-sha256 }}
|
||||||
|
image-root-raw-aws-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-aws-sha256 }}
|
||||||
image-root-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-azure-sha256 }}
|
image-root-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-azure-sha256 }}
|
||||||
image-root-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-gcp-sha256 }}
|
image-root-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-gcp-sha256 }}
|
||||||
image-root-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-qemu-sha256 }}
|
image-root-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-qemu-sha256 }}
|
||||||
|
image-root-verity-aws-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-aws-sha256 }}
|
||||||
image-root-verity-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-azure-sha256 }}
|
image-root-verity-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-azure-sha256 }}
|
||||||
image-root-verity-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-gcp-sha256 }}
|
image-root-verity-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-gcp-sha256 }}
|
||||||
image-root-verity-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-qemu-sha256 }}
|
image-root-verity-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-qemu-sha256 }}
|
||||||
|
image-vmlinuz-aws-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-aws-sha256 }}
|
||||||
image-vmlinuz-azure-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-azure-sha256 }}
|
image-vmlinuz-azure-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-azure-sha256 }}
|
||||||
image-vmlinuz-gcp-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-gcp-sha256 }}
|
image-vmlinuz-gcp-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-gcp-sha256 }}
|
||||||
image-vmlinuz-qemu-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-qemu-sha256 }}
|
image-vmlinuz-qemu-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-qemu-sha256 }}
|
||||||
|
image-raw-changelog-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-aws-sha256 }}
|
||||||
image-raw-changelog-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-azure-sha256 }}
|
image-raw-changelog-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-azure-sha256 }}
|
||||||
image-raw-changelog-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-gcp-sha256 }}
|
image-raw-changelog-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-gcp-sha256 }}
|
||||||
image-raw-changelog-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-qemu-sha256 }}
|
image-raw-changelog-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-qemu-sha256 }}
|
||||||
|
image-raw-manifest-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-aws-sha256 }}
|
||||||
image-raw-manifest-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-azure-sha256 }}
|
image-raw-manifest-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-azure-sha256 }}
|
||||||
image-raw-manifest-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-gcp-sha256 }}
|
image-raw-manifest-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-gcp-sha256 }}
|
||||||
image-raw-manifest-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-qemu-sha256 }}
|
image-raw-manifest-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-qemu-sha256 }}
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
csp: [azure, gcp, qemu]
|
csp: [aws, azure, gcp, qemu]
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791
|
uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791
|
||||||
@ -183,9 +191,12 @@ jobs:
|
|||||||
name: "Upload OS image to CSP"
|
name: "Upload OS image to CSP"
|
||||||
needs: make-os-image
|
needs: make-os-image
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
|
permissions:
|
||||||
|
id-token: write
|
||||||
|
contents: read
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
csp: [azure, gcp]
|
csp: [aws, azure, gcp]
|
||||||
upload-variant: [""]
|
upload-variant: [""]
|
||||||
include:
|
include:
|
||||||
- csp: azure
|
- csp: azure
|
||||||
@ -205,9 +216,19 @@ jobs:
|
|||||||
run: |
|
run: |
|
||||||
echo "::group::Install tools"
|
echo "::group::Install tools"
|
||||||
sudo apt-get update
|
sudo apt-get update
|
||||||
sudo apt-get install -y pigz qemu-utils
|
sudo apt-get install -y \
|
||||||
|
pigz \
|
||||||
|
qemu-utils \
|
||||||
|
python3-crc32c
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
|
||||||
|
- name: Login to AWS
|
||||||
|
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838
|
||||||
|
if: ${{ matrix.csp == 'aws' || matrix.csp == 'azure' }}
|
||||||
|
with:
|
||||||
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
||||||
|
aws-region: eu-central-1
|
||||||
|
|
||||||
- name: Login to Azure
|
- name: Login to Azure
|
||||||
uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
|
uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
|
||||||
if: ${{ matrix.csp == 'azure' }}
|
if: ${{ matrix.csp == 'azure' }}
|
||||||
@ -229,7 +250,7 @@ jobs:
|
|||||||
id: version
|
id: version
|
||||||
uses: ./.github/actions/pseudo_version
|
uses: ./.github/actions/pseudo_version
|
||||||
|
|
||||||
# Make sure to set valid names for GCP and Azure
|
# Make sure to set valid names for AWS, Azure and GCP
|
||||||
# Azure
|
# Azure
|
||||||
# gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character
|
# gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character
|
||||||
# image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character
|
# image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character
|
||||||
@ -245,6 +266,13 @@ jobs:
|
|||||||
imageVersion=${{ inputs.imageVersion }}
|
imageVersion=${{ inputs.imageVersion }}
|
||||||
pseudover=${{ steps.version.outputs.pseudoVersion }}
|
pseudover=${{ steps.version.outputs.pseudoVersion }}
|
||||||
echo "PKI=${{ github.workspace }}/image/pki" >> $GITHUB_ENV
|
echo "PKI=${{ github.workspace }}/image/pki" >> $GITHUB_ENV
|
||||||
|
echo "AWS_REGION=eu-central-1" >> $GITHUB_ENV
|
||||||
|
echo "AWS_REPLICATION_REGIONS=us-east-2 ap-south-1" >> $GITHUB_ENV
|
||||||
|
echo "AWS_BUCKET=constellation-images" >> $GITHUB_ENV
|
||||||
|
echo "AWS_EFIVARS_PATH=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/efivars.bin" >> $GITHUB_ENV
|
||||||
|
echo "AWS_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/image.raw" >> $GITHUB_ENV
|
||||||
|
echo "AWS_AMI_OUTPUT=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/ami.json" >> $GITHUB_ENV
|
||||||
|
echo "AWS_IMAGE_FILENAME=image-$(date +%s).raw" >> $GITHUB_ENV
|
||||||
echo "GCP_PROJECT=constellation-images" >> $GITHUB_ENV
|
echo "GCP_PROJECT=constellation-images" >> $GITHUB_ENV
|
||||||
echo "GCP_BUCKET=constellation-images" >> $GITHUB_ENV
|
echo "GCP_BUCKET=constellation-images" >> $GITHUB_ENV
|
||||||
echo "GCP_REGION=europe-west3" >> $GITHUB_ENV
|
echo "GCP_REGION=europe-west3" >> $GITHUB_ENV
|
||||||
@ -266,6 +294,7 @@ jobs:
|
|||||||
echo "AZURE_DISK_NAME=constellation-${pseudover//./-}-${AZURE_SECURITY_TYPE,,}" >> $GITHUB_ENV
|
echo "AZURE_DISK_NAME=constellation-${pseudover//./-}-${AZURE_SECURITY_TYPE,,}" >> $GITHUB_ENV
|
||||||
if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ]
|
if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ]
|
||||||
then
|
then
|
||||||
|
echo "AWS_IMAGE_NAME=constellation-${imageVersion}" >> $GITHUB_ENV
|
||||||
GCP_IMAGE_NAME=constellation-${imageVersion//./-}
|
GCP_IMAGE_NAME=constellation-${imageVersion//./-}
|
||||||
echo "GCP_IMAGE_FAMILY=constellation" >> $GITHUB_ENV
|
echo "GCP_IMAGE_FAMILY=constellation" >> $GITHUB_ENV
|
||||||
AZURE_IMAGE_DEFINITION=constellation
|
AZURE_IMAGE_DEFINITION=constellation
|
||||||
@ -273,12 +302,14 @@ jobs:
|
|||||||
AZURE_GALLERY_NAME=Constellation
|
AZURE_GALLERY_NAME=Constellation
|
||||||
elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ]
|
elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ]
|
||||||
then
|
then
|
||||||
|
echo "AWS_IMAGE_NAME=constellation-debug-${semver}-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV
|
||||||
GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }}
|
GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }}
|
||||||
echo "GCP_IMAGE_FAMILY=constellation-debug-${semver//./-}" >> $GITHUB_ENV
|
echo "GCP_IMAGE_FAMILY=constellation-debug-${semver//./-}" >> $GITHUB_ENV
|
||||||
AZURE_IMAGE_DEFINITION=${semver}
|
AZURE_IMAGE_DEFINITION=${semver}
|
||||||
echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
|
echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
|
||||||
AZURE_GALLERY_NAME=Constellation_Debug
|
AZURE_GALLERY_NAME=Constellation_Debug
|
||||||
else
|
else
|
||||||
|
echo "AWS_IMAGE_NAME=constellation-${{ steps.version.outputs.branchName }}-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV
|
||||||
GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }}
|
GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }}
|
||||||
echo "GCP_IMAGE_FAMILY=constellation-${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV
|
echo "GCP_IMAGE_FAMILY=constellation-${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV
|
||||||
AZURE_IMAGE_DEFINITION=${{ steps.version.outputs.branchName }}
|
AZURE_IMAGE_DEFINITION=${{ steps.version.outputs.branchName }}
|
||||||
@ -299,12 +330,25 @@ jobs:
|
|||||||
echo "GCP_IMAGE_FILENAME=${GCP_IMAGE_NAME}.tar.gz" >> $GITHUB_ENV
|
echo "GCP_IMAGE_FILENAME=${GCP_IMAGE_NAME}.tar.gz" >> $GITHUB_ENV
|
||||||
|
|
||||||
- name: Download VMGS blob
|
- name: Download VMGS blob
|
||||||
run: aws s3 cp \
|
run: |
|
||||||
s3://constellation-secure-boot/pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
|
aws s3 cp \
|
||||||
pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
|
--region ${AWS_REGION} \
|
||||||
--no-progress
|
s3://constellation-secure-boot/pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
|
||||||
|
pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
|
||||||
|
--no-progress
|
||||||
working-directory: ${{ github.workspace }}/image
|
working-directory: ${{ github.workspace }}/image
|
||||||
if: ${{ matrix.csp == 'azure' }}
|
if: ${{ matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported') }}
|
||||||
|
|
||||||
|
- name: Upload AWS image
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
echo "::group::Upload AWS image"
|
||||||
|
secure-boot/aws/create_uefivars.sh "${AWS_EFIVARS_PATH}"
|
||||||
|
upload/upload_aws.sh "${AWS_AMI_OUTPUT}"
|
||||||
|
echo -e "Uploaded AWS image: \`\`\`$(cat "${AWS_AMI_OUTPUT}" | jq)\`\`\`" >> $GITHUB_STEP_SUMMARY
|
||||||
|
echo "::endgroup::"
|
||||||
|
working-directory: ${{ github.workspace }}/image
|
||||||
|
if: ${{ matrix.csp == 'aws' }}
|
||||||
|
|
||||||
- name: Upload GCP image
|
- name: Upload GCP image
|
||||||
shell: bash
|
shell: bash
|
||||||
@ -334,7 +378,7 @@ jobs:
|
|||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
csp: [azure, gcp, qemu]
|
csp: [aws, azure, gcp, qemu]
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
|
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
|
||||||
@ -417,6 +461,14 @@ jobs:
|
|||||||
cat > SHA256SUMS <<EOF
|
cat > SHA256SUMS <<EOF
|
||||||
${{ needs.build-dependencies.outputs.bootstrapper-sha256 }} bootstrapper
|
${{ needs.build-dependencies.outputs.bootstrapper-sha256 }} bootstrapper
|
||||||
${{ needs.build-dependencies.outputs.disk-mapper-sha256 }} disk-mapper
|
${{ needs.build-dependencies.outputs.disk-mapper-sha256 }} disk-mapper
|
||||||
|
${{ needs.make-os-image.outputs.image-raw-aws-sha256 }} aws/image.raw
|
||||||
|
${{ needs.make-os-image.outputs.image-raw-changelog-aws-sha256 }} aws/image.raw.changelog
|
||||||
|
${{ needs.make-os-image.outputs.image-raw-manifest-aws-sha256 }} aws/image.raw.manifest
|
||||||
|
${{ needs.make-os-image.outputs.image-efi-aws-sha256 }} aws/image.efi
|
||||||
|
${{ needs.make-os-image.outputs.image-initrd-aws-sha256 }} aws/image.initrd
|
||||||
|
${{ needs.make-os-image.outputs.image-root-raw-aws-sha256 }} aws/image.root.raw
|
||||||
|
${{ needs.make-os-image.outputs.image-root-verity-aws-sha256 }} aws/image.root.verity
|
||||||
|
${{ needs.make-os-image.outputs.image-vmlinuz-aws-sha256 }} aws/image.vmlinuz
|
||||||
${{ needs.make-os-image.outputs.image-raw-azure-sha256 }} azure/image.raw
|
${{ needs.make-os-image.outputs.image-raw-azure-sha256 }} azure/image.raw
|
||||||
${{ needs.make-os-image.outputs.image-raw-changelog-azure-sha256 }} azure/image.raw.changelog
|
${{ needs.make-os-image.outputs.image-raw-changelog-azure-sha256 }} azure/image.raw.changelog
|
||||||
${{ needs.make-os-image.outputs.image-raw-manifest-azure-sha256 }} azure/image.raw.manifest
|
${{ needs.make-os-image.outputs.image-raw-manifest-azure-sha256 }} azure/image.raw.manifest
|
||||||
|
@ -6,7 +6,7 @@ DISK_MAPPER_BINARY ?= $(BASE_PATH)/../build/disk-mapper
|
|||||||
PKI ?= $(BASE_PATH)/pki
|
PKI ?= $(BASE_PATH)/pki
|
||||||
MKOSI_EXTRA ?= $(BASE_PATH)/mkosi.extra
|
MKOSI_EXTRA ?= $(BASE_PATH)/mkosi.extra
|
||||||
-include $(CURDIR)/config.mk
|
-include $(CURDIR)/config.mk
|
||||||
csps := qemu gcp azure
|
csps := aws qemu gcp azure
|
||||||
certs := $(PKI)/PK.cer $(PKI)/KEK.cer $(PKI)/db.cer
|
certs := $(PKI)/PK.cer $(PKI)/KEK.cer $(PKI)/db.cer
|
||||||
|
|
||||||
.PHONY: all clean inject-bins $(csps)
|
.PHONY: all clean inject-bins $(csps)
|
||||||
|
@ -31,7 +31,8 @@
|
|||||||
curl \
|
curl \
|
||||||
jq \
|
jq \
|
||||||
util-linux \
|
util-linux \
|
||||||
virt-manager
|
virt-manager \
|
||||||
|
python3-crc32c
|
||||||
```
|
```
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
@ -134,6 +135,34 @@ secure-boot/azure/delete.sh --name "${AZURE_DISK_NAME}-setup-secure-boot"
|
|||||||
|
|
||||||
## Upload to CSP
|
## Upload to CSP
|
||||||
|
|
||||||
|
<details>
|
||||||
|
<summary>AWS</summary>
|
||||||
|
|
||||||
|
- Install `aws` cli (see [here](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html))
|
||||||
|
- Login to AWS (see [here](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html))
|
||||||
|
- Choose secure boot PKI public keys (one of `pki_dev`, `pki_test`, `pki_prod`)
|
||||||
|
- `pki_dev` can be used for local image builds
|
||||||
|
- `pki_test` is used by the CI for non-release images
|
||||||
|
- `pki_prod` is used for release images
|
||||||
|
|
||||||
|
```sh
|
||||||
|
# set these variables
|
||||||
|
export AWS_IMAGE_NAME= # e.g. "constellation-v1.0.0"
|
||||||
|
export PKI=${PWD}/pki
|
||||||
|
|
||||||
|
export AWS_REGION=eu-central-1
|
||||||
|
export AWS_REPLICATION_REGIONS="us-east-2"
|
||||||
|
export AWS_BUCKET=constellation-images
|
||||||
|
export AWS_EFIVARS_PATH=${PWD}/mkosi.output.aws/fedora~36/efivars.bin
|
||||||
|
export AWS_IMAGE_PATH=${PWD}/mkosi.output.aws/fedora~36/image.raw
|
||||||
|
export AWS_IMAGE_FILENAME=image-$(date +%s).raw
|
||||||
|
export AWS_AMI_OUTPUT=${PWD}/mkosi.output.aws/fedora~36/ami.txt
|
||||||
|
secure-boot/aws/create_uefivars.sh "${AWS_EFIVARS_PATH}"
|
||||||
|
upload/upload_aws.sh "${AWS_AMI_OUTPUT}"
|
||||||
|
```
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
<summary>GCP</summary>
|
<summary>GCP</summary>
|
||||||
|
|
||||||
|
3
image/mkosi.files/mkosi.aws.conf
Normal file
3
image/mkosi.files/mkosi.aws.conf
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
[Output]
|
||||||
|
KernelCommandLine=constel.csp=aws
|
||||||
|
OutputDirectory=mkosi.output.aws
|
9
image/secure-boot/aws/create_uefivars.sh
Executable file
9
image/secure-boot/aws/create_uefivars.sh
Executable file
@ -0,0 +1,9 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
TMPDIR=$(mktemp -d /tmp/uefivars-XXXXXXXXXXXXXX)
|
||||||
|
git clone https://github.com/awslabs/python-uefivars ${TMPDIR}
|
||||||
|
|
||||||
|
"${TMPDIR}/uefivars.py" -i none -o aws -O "$1" -P ${PKI}/PK.esl -K ${PKI}/KEK.esl --db ${PKI}/db.esl
|
||||||
|
|
||||||
|
rm -rf "${TMPDIR}"
|
149
image/upload/upload_aws.sh
Executable file
149
image/upload/upload_aws.sh
Executable file
@ -0,0 +1,149 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
# Copyright (c) Edgeless Systems GmbH
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: AGPL-3.0-only
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
if [ -z "${CONFIG_FILE-}" ] && [ -f "${CONFIG_FILE-}" ]; then
|
||||||
|
. "${CONFIG_FILE}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
PK_FILE=${PKI}/PK.cer
|
||||||
|
KEK_FILES=${PKI}/KEK.cer,${PKI}/MicCorKEKCA2011_2011-06-24.crt
|
||||||
|
DB_FILES=${PKI}/db.cer,${PKI}/MicWinProPCA2011_2011-10-19.crt,${PKI}/MicCorUEFCA2011_2011-06-27.crt
|
||||||
|
CONTAINERS_JSON=$(mktemp /tmp/containers-XXXXXXXXXXXXXX.json)
|
||||||
|
declare -A AMI_FOR_REGION
|
||||||
|
AMI_OUTPUT=$1
|
||||||
|
|
||||||
|
import_status() {
|
||||||
|
local import_task_id=$1
|
||||||
|
aws ec2 describe-import-snapshot-tasks --region "${AWS_REGION}" --import-task-ids "${import_task_id}" | jq -r '.ImportSnapshotTasks[0].SnapshotTaskDetail.Status'
|
||||||
|
}
|
||||||
|
|
||||||
|
wait_for_import() {
|
||||||
|
local import_task_id=$1
|
||||||
|
local status
|
||||||
|
echo -n "Waiting for import to finish"
|
||||||
|
while true; do
|
||||||
|
local status=$(import_status "${import_task_id}")
|
||||||
|
case "${status}" in
|
||||||
|
completed)
|
||||||
|
echo -e "\nImport completed."
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
active)
|
||||||
|
echo -n "."
|
||||||
|
sleep 5
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Unexpected status: ${status}"
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
wait_for_image_available() {
|
||||||
|
local ami_id=$1
|
||||||
|
local region=$2
|
||||||
|
echo -n "Waiting for image ${ami_id} to be available"
|
||||||
|
while true; do
|
||||||
|
# Waiter ImageAvailable failed: Max attempts exceeded
|
||||||
|
local status=$(aws ec2 wait image-available \
|
||||||
|
--region ${region} \
|
||||||
|
--image-ids "${ami_id}" 2>&1 || true)
|
||||||
|
case "${status}" in
|
||||||
|
"")
|
||||||
|
echo -e "\nImage available."
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
*"Max attempts exceeded"*)
|
||||||
|
echo -n "."
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Unexpected status: ${status}"
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
tag_ami_with_backing_snapshot() {
|
||||||
|
local ami_id=$1
|
||||||
|
local region=$2
|
||||||
|
wait_for_image_available "${ami_id}" "${region}"
|
||||||
|
local snapshot_id=$(aws ec2 describe-images \
|
||||||
|
--region "${region}" \
|
||||||
|
--image-ids "${ami_id}" \
|
||||||
|
--output text --query "Images[0].BlockDeviceMappings[0].Ebs.SnapshotId")
|
||||||
|
aws ec2 create-tags \
|
||||||
|
--region "${region}" \
|
||||||
|
--resources "${ami_id}" "${snapshot_id}" \
|
||||||
|
--tags "Key=Name,Value=${AWS_IMAGE_NAME}"
|
||||||
|
}
|
||||||
|
|
||||||
|
create_ami_from_raw_disk() {
|
||||||
|
echo "Uploading raw disk image to S3"
|
||||||
|
aws s3 cp "${AWS_IMAGE_PATH}" "s3://${AWS_BUCKET}/${AWS_IMAGE_FILENAME}" --no-progress
|
||||||
|
printf '{
|
||||||
|
"Description": "%s",
|
||||||
|
"Format": "raw",
|
||||||
|
"UserBucket": {
|
||||||
|
"S3Bucket": "%s",
|
||||||
|
"S3Key": "%s"
|
||||||
|
}
|
||||||
|
}' "${AWS_IMAGE_NAME}" "${AWS_BUCKET}" "${AWS_IMAGE_FILENAME}" > "${CONTAINERS_JSON}"
|
||||||
|
IMPORT_SNAPSHOT=$(aws ec2 import-snapshot --region "${AWS_REGION}" --disk-container "file://${CONTAINERS_JSON}")
|
||||||
|
echo $IMPORT_SNAPSHOT
|
||||||
|
IMPORT_TASK_ID=$(echo $IMPORT_SNAPSHOT | jq -r '.ImportTaskId')
|
||||||
|
aws ec2 describe-import-snapshot-tasks --region "${AWS_REGION}" --import-task-ids "${IMPORT_TASK_ID}"
|
||||||
|
wait_for_import "${IMPORT_TASK_ID}"
|
||||||
|
AWS_SNAPSHOT=$(aws ec2 describe-import-snapshot-tasks --region "${AWS_REGION}" --import-task-ids "${IMPORT_TASK_ID}" | jq -r '.ImportSnapshotTasks[0].SnapshotTaskDetail.SnapshotId')
|
||||||
|
echo "Deleting raw disk image from S3"
|
||||||
|
aws s3 rm "s3://${AWS_BUCKET}/${AWS_IMAGE_FILENAME}"
|
||||||
|
rm "${CONTAINERS_JSON}"
|
||||||
|
REGISTER_OUT=$(aws ec2 register-image \
|
||||||
|
--region "${AWS_REGION}" \
|
||||||
|
--name "${AWS_IMAGE_NAME}" \
|
||||||
|
--boot-mode uefi \
|
||||||
|
--architecture x86_64 \
|
||||||
|
--root-device-name /dev/xvda \
|
||||||
|
--block-device-mappings "DeviceName=/dev/xvda,Ebs={SnapshotId=${AWS_SNAPSHOT}}" \
|
||||||
|
--ena-support \
|
||||||
|
--tpm-support v2.0 \
|
||||||
|
--uefi-data $(cat ${AWS_EFIVARS_PATH}))
|
||||||
|
IMAGE_ID=$(echo $REGISTER_OUT | jq -r '.ImageId')
|
||||||
|
AMI_FOR_REGION=( ["${AWS_REGION}"]="${IMAGE_ID}")
|
||||||
|
tag_ami_with_backing_snapshot "${IMAGE_ID}" "${AWS_REGION}"
|
||||||
|
echo "Imported initial AMI as ${IMAGE_ID} in ${AWS_REGION}"
|
||||||
|
}
|
||||||
|
|
||||||
|
replicate_ami() {
|
||||||
|
local target_region=$1
|
||||||
|
local replicated_image_out=$(aws ec2 copy-image \
|
||||||
|
--name "${AWS_IMAGE_NAME}" \
|
||||||
|
--source-region "${AWS_REGION}" \
|
||||||
|
--source-image-id "${IMAGE_ID}" \
|
||||||
|
--region "${target_region}")
|
||||||
|
local replicated_image_id=$(echo $replicated_image_out | jq -r '.ImageId')
|
||||||
|
AMI_FOR_REGION["${target_region}"]=${replicated_image_id}
|
||||||
|
echo "Replicated AMI as ${replicated_image_id} in ${target_region}"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
create_ami_from_raw_disk
|
||||||
|
# replicate in parallel
|
||||||
|
for region in ${AWS_REPLICATION_REGIONS}; do
|
||||||
|
replicate_ami "${region}"
|
||||||
|
done
|
||||||
|
# wait for all images to be available and tag them
|
||||||
|
for region in ${AWS_REPLICATION_REGIONS}; do
|
||||||
|
tag_ami_with_backing_snapshot "${AMI_FOR_REGION[${region}]}" "${region}"
|
||||||
|
done
|
||||||
|
echo -n "{\"${AWS_REGION}\": \"${AMI_FOR_REGION[${AWS_REGION}]}\"" > "${AMI_OUTPUT}"
|
||||||
|
for region in ${AWS_REPLICATION_REGIONS}; do
|
||||||
|
echo -n ", \"${region}\": \"${AMI_FOR_REGION[${region}]}\"" >> "${AMI_OUTPUT}"
|
||||||
|
done
|
||||||
|
echo "}" >> "${AMI_OUTPUT}"
|
Loading…
x
Reference in New Issue
Block a user