e2e: detect changing idKeyDigests on azure

by setting the Azure SNP enforcement policy to equal in the weekly e2e.
The run should fail when there are unexpected ID Key digests used.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
This commit is contained in:
Paul Meyer 2023-08-08 12:02:43 +02:00
parent c43210c90b
commit e466ce2f26
3 changed files with 20 additions and 1 deletions

View File

@ -10,7 +10,7 @@ inputs:
description: "Number of control-plane nodes to spawn."
required: true
cloudProvider:
description: "Either 'gcp' or 'azure'."
description: "Either 'gcp', 'aws' or 'azure'."
required: true
machineType:
description: "Machine type of VM to spawn."
@ -33,6 +33,9 @@ inputs:
fetchMeasurements:
default: "false"
description: "Update measurements via the 'constellation config fetch-measurements' command."
azureSNPEnforcementPolicy:
required: false
description: "Azure SNP enforcement policy."
outputs:
kubeconfig:
@ -50,6 +53,17 @@ runs:
run: |
yq eval -i "(.name) = \"e2e-test\"" constellation-conf.yaml
- name: Set Azure SNP enforcement policy
if: inputs.azureSNPEnforcementPolicy != ''
shell: bash
run: |
if [[ ${{ inputs.cloudProvider }} != 'azure' ]]; then
echo "SNP enforcement policy is only supported for Azure"
exit 1
fi
yq eval -i "(.attestation.azureSEVSNP.firmwareSignerConfig.enforcementPolicy) \
= \"${{ inputs.azureSNPEnforcementPolicy }}\"" constellation-conf.yaml
- name: Set image
id: setImage
shell: bash

View File

@ -74,6 +74,8 @@ inputs:
fetchMeasurements:
default: "false"
description: "Update measurements via the 'constellation config fetch-measurements' command."
azureSNPEnforcementPolicy:
description: "Enable security policy for the cluster."
outputs:
kubeconfig:
@ -239,6 +241,7 @@ runs:
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
fetchMeasurements: ${{ inputs.fetchMeasurements }}
cliVersion: ${{ inputs.cliVersion }}
azureSNPEnforcementPolicy: ${{ inputs.azureSNPEnforcementPolicy }}
#
# Test payloads

View File

@ -99,6 +99,7 @@ jobs:
refStream: "ref/main/stream/debug/?"
provider: "azure"
kubernetes-version: "v1.27"
azureSNPEnforcementPolicy: "equal" # This run checks for unknown ID Key disgests.
- test: "verify"
provider: "aws"
refStream: "ref/main/stream/debug/?"
@ -208,6 +209,7 @@ jobs:
registry: ghcr.io
githubToken: ${{ secrets.GITHUB_TOKEN }}
fetchMeasurements: ${{ matrix.refStream != 'ref/release/stream/stable/?' }}
azureSNPEnforcementPolicy: ${{ matrix.azureSNPEnforcementPolicy }}
- name: Always terminate cluster
if: always()