name: Constellation verify description: "Verify a Constellation cluster." inputs: osImage: description: "The OS image used in the cluster." required: true attestationVariant: description: "The attestation variant used in the cluster." required: true kubeconfig: description: "The kubeconfig file for the cluster." required: true cosignPassword: required: true description: "The password for the cosign private key." cosignPrivateKey: required: true description: "The cosign private key." runs: using: "composite" steps: - name: Expand version path id: expand-version uses: ./.github/actions/shortname with: shortname: ${{ inputs.osImage }} - name: Constellation fetch measurements shell: bash run: | if [[ ${{ }} == "debug" ]] then constellation config fetch-measurements --insecure else constellation config fetch-measurements fi - name: Constellation verify shell: bash run: constellation verify --cluster-id $(yq -r ".clusterValues.clusterID" constellation-state.yaml) - name: Verify all nodes shell: bash env: KUBECONFIG: ${{ inputs.kubeconfig }} run: | clusterID=$(yq -r ".clusterValues.clusterID" constellation-state.yaml) nodes=$(kubectl get nodes -o json | jq -r ".items[]") for node in $nodes ; do verificationPod=$(kubectl get pods --field-selector spec.nodeName=${node} -n kube-system | grep "verification-service" | cut -d' ' -f1) mapfile -t verificationPod <<< "$verificationPod" if [[ ${#verificationPod[@]} -ne 1 ]]; then echo "Expected 1 verification pod for node ${node}, found ${#verificationPodArray[@]}" exit 1 fi echo "Verifying pod ${verificationPod} on node ${node}" kubectl wait -n kube-system "pod/${verificationPod}" --for=condition=ready --timeout=5m kubectl port-forward -n kube-system "pods/${verificationPod}" 9090:9090 & forwarderPID=$! sleep 5 case "${{ inputs.attestationVariant }}" in "azure-sev-snp"|"azure-tdx"|"aws-sev-snp"|"gcp-sev-snp") echo "Extracting TCB versions for API update" constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 -o json > "attestation-report-${node}.json" ;; *) constellation verify --cluster-id "${clusterID}" --node-endpoint localhost:9090 ;; esac kill $forwarderPID done - name: Login to AWS if: github.ref_name == 'main' uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9 # v4.0.3 with: role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline aws-region: eu-central-1 - name: Upload extracted TCBs if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' || inputs.attestationVariant == 'azure-tdx' || inputs.attestationVariant == 'aws-sev-snp' || inputs.attestationVariant == 'gcp-sev-snp') shell: bash env: COSIGN_PASSWORD: ${{ inputs.cosignPassword }} COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} run: | reports=attestation-report-*.json # bazel run changes the working directory # convert the relative paths to absolute paths to avoid issues absolute_reports="" for report in ${reports}; do absolute_reports="${absolute_reports} $(realpath "${report}")" done report=$(bazel run //internal/api/attestationconfigapi/cli -- compare ${{ inputs.attestationVariant }} ${absolute_reports}) path=$(realpath "${report}") cat "${path}" bazel run //internal/api/attestationconfigapi/cli -- upload ${{ inputs.attestationVariant }} attestation-report "${path}"