name: Constellation verify description: "Verify a Constellation cluster." inputs: osImage: description: "The OS image used in the cluster." required: true attestationVariant: description: "The attestation variant used in the cluster." required: true kubeconfig: description: "The kubeconfig file for the cluster." required: true cosignPassword: required: true description: "The password for the cosign private key." cosignPrivateKey: required: true description: "The cosign private key." runs: using: "composite" steps: - name: Expand version path id: expand-version uses: ./.github/actions/shortname with: shortname: ${{ inputs.osImage }} - name: Constellation fetch measurements shell: bash run: | if [[ ${{ steps.expand-version.outputs.stream }} == "debug" ]] then constellation config fetch-measurements --insecure else constellation config fetch-measurements fi - name: Constellation verify shell: bash run: constellation verify --cluster-id $(yq -r ".clusterValues.clusterID" constellation-state.yaml) - name: Verify all nodes shell: bash env: KUBECONFIG: ${{ inputs.kubeconfig }} run: | clusterID=$(yq -r ".clusterValues.clusterID" constellation-state.yaml) nodes=$(kubectl get nodes -o json | jq -r ".items[].metadata.name") for node in $nodes ; do verificationPod=$(kubectl get pods --field-selector spec.nodeName=${node} -n kube-system | grep "verification-service" | cut -d' ' -f1) mapfile -t verificationPod <<< "$verificationPod" if [[ ${#verificationPod[@]} -ne 1 ]]; then echo "Expected 1 verification pod for node ${node}, found ${#verificationPodArray[@]}" exit 1 fi echo "Verifying pod ${verificationPod} on node ${node}" kubectl wait -n kube-system "pod/${verificationPod}" --for=condition=ready --timeout=5m kubectl port-forward -n kube-system "pods/${verificationPod}" 9090:9090 & forwarderPID=$! sleep 5 case "${{ inputs.attestationVariant }}" in "azure-sev-snp"|"azure-tdx"|"aws-sev-snp"|"gcp-sev-snp") echo "Extracting TCB versions for API update" constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "attestation-report-${node}.json" ;; *) constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 ;; esac kill $forwarderPID done - name: Login to AWS if: github.ref_name == 'main' uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline aws-region: eu-central-1 - name: Upload extracted TCBs if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' || inputs.attestationVariant == 'azure-tdx' || inputs.attestationVariant == 'aws-sev-snp' || inputs.attestationVariant == 'gcp-sev-snp') shell: bash env: COSIGN_PASSWORD: ${{ inputs.cosignPassword }} COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} run: | reports=(attestation-report-*.json) if [ -z ${#reports[@]} ]; then exit 1 fi for file in "${reports[@]}"; do path=$(realpath "${file}") cat "${path}" bazel run //internal/api/attestationconfigapi/cli -- upload ${{ inputs.attestationVariant }} attestation-report "${path}" done