e2e: detect changing idKeyDigests on azure

by setting the Azure SNP enforcement policy to equal in the weekly e2e. The run should fail when there are unexpected ID Key digests used. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2025-04-25 17:49:21 -04:00 · 2023-08-08 12:02:43 +02:00 · 2023-08-08 12:02:43 +02:00 · e466ce2f26
commit e466ce2f26
parent c43210c90b
3 changed files with 20 additions and 1 deletions
--- a/.github/actions/constellation_create/action.yml
+++ b/.github/actions/constellation_create/action.yml
@ -10,7 +10,7 @@ inputs:
    description: "Number of control-plane nodes to spawn."
    required: true
  cloudProvider:
-    description: "Either 'gcp' or 'azure'."
+    description: "Either 'gcp', 'aws' or 'azure'."
    required: true
  machineType:
    description: "Machine type of VM to spawn."
@ -33,6 +33,9 @@ inputs:
  fetchMeasurements:
    default: "false"
    description: "Update measurements via the 'constellation config fetch-measurements' command."
+  azureSNPEnforcementPolicy:
+    required: false
+    description: "Azure SNP enforcement policy."

 outputs:
  kubeconfig:
@ -50,6 +53,17 @@ runs:
      run: |
        yq eval -i "(.name) = \"e2e-test\"" constellation-conf.yaml

+    - name: Set Azure SNP enforcement policy
+      if: inputs.azureSNPEnforcementPolicy != ''
+      shell: bash
+      run: |
+        if [[ ${{ inputs.cloudProvider }} != 'azure' ]]; then
+          echo "SNP enforcement policy is only supported for Azure"
+          exit 1
+        fi
+        yq eval -i "(.attestation.azureSEVSNP.firmwareSignerConfig.enforcementPolicy) \
+          = \"${{ inputs.azureSNPEnforcementPolicy }}\"" constellation-conf.yaml
+
    - name: Set image
      id: setImage
      shell: bash
--- a/.github/actions/e2e_test/action.yml
+++ b/.github/actions/e2e_test/action.yml
@ -74,6 +74,8 @@ inputs:
  fetchMeasurements:
    default: "false"
    description: "Update measurements via the 'constellation config fetch-measurements' command."
+  azureSNPEnforcementPolicy:
+    description: "Enable security policy for the cluster."

 outputs:
  kubeconfig:
@ -239,6 +241,7 @@ runs:
        artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
        fetchMeasurements: ${{ inputs.fetchMeasurements }}
        cliVersion: ${{ inputs.cliVersion }}
+        azureSNPEnforcementPolicy: ${{ inputs.azureSNPEnforcementPolicy }}

    #
    # Test payloads
--- a/.github/workflows/e2e-test-weekly.yml
+++ b/.github/workflows/e2e-test-weekly.yml
@ -99,6 +99,7 @@ jobs:
            refStream: "ref/main/stream/debug/?"
            provider: "azure"
            kubernetes-version: "v1.27"
+            azureSNPEnforcementPolicy: "equal" # This run checks for unknown ID Key disgests.
          - test: "verify"
            provider: "aws"
            refStream: "ref/main/stream/debug/?"
@ -208,6 +209,7 @@ jobs:
          registry: ghcr.io
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          fetchMeasurements: ${{ matrix.refStream != 'ref/release/stream/stable/?' }}
+          azureSNPEnforcementPolicy: ${{ matrix.azureSNPEnforcementPolicy }}

      - name: Always terminate cluster
        if: always()