mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-03 11:50:57 -05:00
84 lines
3.3 KiB
YAML
84 lines
3.3 KiB
YAML
name: Constellation verify
|
|
description: "Verify a Constellation cluster."
|
|
|
|
inputs:
|
|
osImage:
|
|
description: "The OS image used in the cluster."
|
|
required: true
|
|
cloudProvider:
|
|
description: "The cloud provider used in the cluster."
|
|
required: true
|
|
|
|
runs:
|
|
using: "composite"
|
|
steps:
|
|
- name: Clear current measurements
|
|
shell: bash
|
|
run: |
|
|
if [[ $(yq '.version' constellation-conf.yaml) == "v2" ]]
|
|
then
|
|
yq -i 'del(.provider.${{ inputs.cloudProvider }}.measurements)' constellation-conf.yaml
|
|
else
|
|
yq -i 'del(.attestation.awsNitroTPM.measurements)' constellation-conf.yaml
|
|
yq -i 'del(.attestation.azureSEVSNP.measurements)' constellation-conf.yaml
|
|
yq -i 'del(.attestation.azureTrustedLaunch.measurements)' constellation-conf.yaml
|
|
yq -i 'del(.attestation.gcpSEVES.measurements)' constellation-conf.yaml
|
|
yq -i 'del(.attestation.qemuVTPM.measurements)' constellation-conf.yaml
|
|
fi
|
|
|
|
- name: Expand version path
|
|
id: expand-version
|
|
uses: ./.github/actions/shortname
|
|
with:
|
|
shortname: ${{ inputs.osImage }}
|
|
|
|
- name: Get attestation variant
|
|
id: get-variant
|
|
shell: bash
|
|
run: |
|
|
# TODO(AB#3144): Refactor when API is update for attestation variants
|
|
case ${{ inputs.cloudProvider }} in
|
|
aws)
|
|
echo ATTESTATION_VARIANT=awsNitroTPM >> $GITHUB_OUTPUT
|
|
;;
|
|
azure)
|
|
echo ATTESTATION_VARIANT=azureSEVSNP >> $GITHUB_OUTPUT
|
|
;;
|
|
gcp)
|
|
echo ATTESTATION_VARIANT=gcpSEVES >> $GITHUB_OUTPUT
|
|
;;
|
|
qemu)
|
|
echo ATTESTATION_VARIANT=qemuVTPM >> $GITHUB_OUTPUT
|
|
;;
|
|
esac
|
|
|
|
- name: Fetch & write measurements
|
|
shell: bash
|
|
run: |
|
|
ref=${{ steps.expand-version.outputs.ref }}
|
|
stream=${{ steps.expand-version.outputs.stream }}
|
|
version=${{ steps.expand-version.outputs.version }}
|
|
verPath="ref/${ref}/stream/${stream}/${version}"
|
|
MEASUREMENTS=$(curl -fsSL https://cdn.confidential.cloud/constellation/v1/${verPath}/image/csp/${{ inputs.cloudProvider }}/measurements.json | jq '.measurements' -r)
|
|
for key in $(echo $MEASUREMENTS | jq 'keys[]' -r); do
|
|
echo Updating $key to $(echo $MEASUREMENTS | jq ".\"$key\"" -r)
|
|
if [[ $(yq '.version' constellation-conf.yaml) == "v2" ]]
|
|
then
|
|
yq -i ".provider.${{ inputs.cloudProvider }}.measurements.[$key] = $(echo $MEASUREMENTS | jq ".\"$key\"")" constellation-conf.yaml
|
|
else
|
|
yq -i ".attestation.${{ steps.get-variant.outputs.ATTESTATION_VARIANT }}.measurements.[$key] = $(echo $MEASUREMENTS | jq ".\"$key\"")" constellation-conf.yaml
|
|
fi
|
|
done
|
|
|
|
if [[ $(yq '.version' constellation-conf.yaml) == "v2" ]]
|
|
then
|
|
yq -i '.provider.${{ inputs.cloudProvider }}.measurements |= array_to_map' constellation-conf.yaml
|
|
else
|
|
yq -i '.attestation.${{ steps.get-variant.outputs.ATTESTATION_VARIANT }}.measurements |= array_to_map' constellation-conf.yaml
|
|
fi
|
|
cat constellation-conf.yaml
|
|
|
|
- name: Constellation verify
|
|
shell: bash
|
|
run: constellation verify --cluster-id $(jq -r ".clusterID" constellation-id.json) --force
|