Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

e2e: detect changing idKeyDigests on azure

Browse Source 
by setting the Azure SNP enforcement policy to equal in the weekly e2e.
The run should fail when there are unexpected ID Key digests used.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
This commit is contained in:
Paul Meyer 2023-08-08 12:02:43 +02:00
parent c43210c90b
commit e466ce2f26
3 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
.github/actions/constellation_create/action.yml vendored
View File

@ -10,7 +10,7 @@ inputs:
description: "Number of control-plane nodes to spawn." description: "Number of control-plane nodes to spawn."
required: true required: true
cloudProvider: cloudProvider:
description: "Either 'gcp' or 'azure'." description: "Either 'gcp', 'aws' or 'azure'."
required: true required: true
machineType: machineType:
description: "Machine type of VM to spawn." description: "Machine type of VM to spawn."
@ -33,6 +33,9 @@ inputs:
fetchMeasurements: fetchMeasurements:
default: "false" default: "false"
description: "Update measurements via the 'constellation config fetch-measurements' command." description: "Update measurements via the 'constellation config fetch-measurements' command."
azureSNPEnforcementPolicy:
required: false
description: "Azure SNP enforcement policy."
outputs: outputs:
kubeconfig: kubeconfig:
@ -50,6 +53,17 @@ runs:
run: | run: |
yq eval -i "(.name) = \"e2e-test\"" constellation-conf.yaml yq eval -i "(.name) = \"e2e-test\"" constellation-conf.yaml
- name: Set Azure SNP enforcement policy
if: inputs.azureSNPEnforcementPolicy != ''
shell: bash
run: |
if [[ ${{ inputs.cloudProvider }} != 'azure' ]]; then
echo "SNP enforcement policy is only supported for Azure"
exit 1
fi
yq eval -i "(.attestation.azureSEVSNP.firmwareSignerConfig.enforcementPolicy) \
= \"${{ inputs.azureSNPEnforcementPolicy }}\"" constellation-conf.yaml
- name: Set image - name: Set image
id: setImage id: setImage
shell: bash shell: bash

3
.github/actions/e2e_test/action.yml vendored
View File

@ -74,6 +74,8 @@ inputs:
fetchMeasurements: fetchMeasurements:
default: "false" default: "false"
description: "Update measurements via the 'constellation config fetch-measurements' command." description: "Update measurements via the 'constellation config fetch-measurements' command."
azureSNPEnforcementPolicy:
description: "Enable security policy for the cluster."
outputs: outputs:
kubeconfig: kubeconfig:
@ -239,6 +241,7 @@ runs:
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }} artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
fetchMeasurements: ${{ inputs.fetchMeasurements }} fetchMeasurements: ${{ inputs.fetchMeasurements }}
cliVersion: ${{ inputs.cliVersion }} cliVersion: ${{ inputs.cliVersion }}
azureSNPEnforcementPolicy: ${{ inputs.azureSNPEnforcementPolicy }}
# #
# Test payloads # Test payloads

2
.github/workflows/e2e-test-weekly.yml vendored
View File

@ -99,6 +99,7 @@ jobs:
refStream: "ref/main/stream/debug/?" refStream: "ref/main/stream/debug/?"
provider: "azure" provider: "azure"
kubernetes-version: "v1.27" kubernetes-version: "v1.27"
azureSNPEnforcementPolicy: "equal" # This run checks for unknown ID Key disgests.
- test: "verify" - test: "verify"
provider: "aws" provider: "aws"
refStream: "ref/main/stream/debug/?" refStream: "ref/main/stream/debug/?"
@ -208,6 +209,7 @@ jobs:
registry: ghcr.io registry: ghcr.io
githubToken: ${{ secrets.GITHUB_TOKEN }} githubToken: ${{ secrets.GITHUB_TOKEN }}
fetchMeasurements: ${{ matrix.refStream != 'ref/release/stream/stable/?' }} fetchMeasurements: ${{ matrix.refStream != 'ref/release/stream/stable/?' }}
azureSNPEnforcementPolicy: ${{ matrix.azureSNPEnforcementPolicy }}
- name: Always terminate cluster - name: Always terminate cluster
if: always() if: always()