name: Constellation verify description: "Verify a Constellation cluster." inputs: osImage: description: "The OS image used in the cluster." required: true cloudProvider: description: "The cloud provider used in the cluster." required: true kubeconfig: description: "The kubeconfig file for the cluster." required: true cosignPassword: required: true description: "The password for the cosign private key." cosignPrivateKey: required: true description: "The cosign private key." runs: using: "composite" steps: - name: Expand version path id: expand-version uses: ./.github/actions/shortname with: shortname: ${{ inputs.osImage }} - name: Constellation fetch measurements shell: bash run: | if [[ ${{ steps.expand-version.outputs.stream }} == "debug" ]] then constellation config fetch-measurements --insecure else constellation config fetch-measurements fi - name: Constellation verify shell: bash run: constellation verify --cluster-id $(yq -r ".clusterValues.clusterID" constellation-state.yaml) --force - name: Verify all nodes shell: bash env: KUBECONFIG: ${{ inputs.kubeconfig }} run: | clusterID=$(yq -r ".clusterValues.clusterID" constellation-state.yaml) nodes=$(kubectl get nodes -o json | jq -r ".items[].metadata.name") for node in $nodes ; do verificationPod=$(kubectl get pods --field-selector spec.nodeName=${node} -n kube-system | grep "verification-service" | cut -d' ' -f1) mapfile -t verificationPod <<< "$verificationPod" if [[ ${#verificationPod[@]} -ne 1 ]]; then echo "Expected 1 verification pod for node ${node}, found ${#verificationPodArray[@]}" exit 1 fi echo "Verifying pod ${verificationPod} on node ${node}" kubectl wait -n kube-system "pod/${verificationPod}" --for=condition=ready --timeout=5m kubectl port-forward -n kube-system "pods/${verificationPod}" 9090:9090 & forwarderPID=$! sleep 5 verifyOut=$(constellation verify --cluster-id "${clusterID}" --force --node-endpoint localhost:9090) kill $forwarderPID if [[ ${{ inputs.cloudProvider }} != "azure" ]]; then continue fi echo "Extracting TCB versions for API update" startMAAToken="Microsoft Azure Attestation Token:" endMAAToken="Verification OK" sed -n "/${startMAAToken}/,/${endMAAToken}/ { /${startMAAToken}/d; /${endMAAToken}/d; p }" <<< "${verifyOut}" > "maa-claims-${node}.json" done - name: Login to AWS if: github.ref_name == 'main' && inputs.cloudProvider == 'azure' uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 with: role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline aws-region: eu-central-1 - name: Upload extracted TCBs if: github.ref_name == 'main' && inputs.cloudProvider == 'azure' shell: bash env: COSIGN_PASSWORD: ${{ inputs.cosignPassword }} COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} run: | for file in $(ls maa-claims-*.json); do path=$(realpath "${file}") cat "${path}" bazel run //internal/api/attestationconfigapi/cli -- --maa-claims-path "${path}" done