mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-28 17:09:30 -05:00
115 lines
4.6 KiB
YAML
115 lines
4.6 KiB
YAML
name: Constellation measure
|
|
description: |
|
|
Create measurements of a Constellation cluster and print to stdout.
|
|
Optionally sign and/or upload to S3, if corresponding inputs are provided.
|
|
inputs:
|
|
cloudProvider:
|
|
description: "Either 'gcp' or 'azure'."
|
|
required: true
|
|
cosignPublicKey:
|
|
description: "Cosign public key"
|
|
required: false
|
|
default: ""
|
|
cosignPrivateKey:
|
|
description: "Cosign private key"
|
|
required: false
|
|
default: ""
|
|
cosignPassword:
|
|
description: "Password for Cosign private key"
|
|
required: false
|
|
default: ""
|
|
awsAccessKeyID:
|
|
description: "AWS access key ID to upload measurements"
|
|
required: false
|
|
default: ""
|
|
awsSecretAccessKey:
|
|
description: "AWS secret access key to upload measurements"
|
|
required: false
|
|
default: ""
|
|
awsDefaultRegion:
|
|
description: "AWS region of S3 bucket to upload measurements"
|
|
required: false
|
|
default: ""
|
|
awsBucketName:
|
|
description: "S3 bucket name to upload measurements to"
|
|
required: false
|
|
default: ""
|
|
runs:
|
|
using: "composite"
|
|
steps:
|
|
- name: Build hack/pcr-reader
|
|
run: |
|
|
echo "::group::Build pcr-reader"
|
|
go build .
|
|
echo "$(pwd)" >> $GITHUB_PATH
|
|
working-directory: hack/pcr-reader
|
|
shell: bash
|
|
|
|
# Check /docs/secure_software_distribution.md#sign-measurements
|
|
# for why we ignore certain measurement values.
|
|
- name: Fetch PCRs
|
|
run: |
|
|
KUBECONFIG="$PWD/constellation-admin.conf" kubectl rollout status ds/verification-service -n kube-system --timeout=3m
|
|
CONSTELL_IP=$(jq -r ".ip" constellation-id.json)
|
|
pcr-reader --constell-ip ${CONSTELL_IP} -format yaml > measurements.yaml
|
|
case $CSP in
|
|
azure)
|
|
yq e 'del(.[0,6,10,11,12,13,14,15,16,17,18,19,20,21,22,23])' -i measurements.yaml
|
|
;;
|
|
gcp)
|
|
yq e 'del(.[11,12,13,14,15,16,17,18,19,20,21,22,23])' -i measurements.yaml
|
|
;;
|
|
esac
|
|
cat measurements.yaml
|
|
shell: bash
|
|
env:
|
|
CSP: ${{ inputs.cloudProvider }}
|
|
|
|
# TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial
|
|
# once it has the functionality
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
|
|
if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }}
|
|
- name: Install Rekor
|
|
run: |
|
|
curl -sLO https://github.com/sigstore/rekor/releases/download/v0.12.0/rekor-cli-linux-amd64
|
|
sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli
|
|
rm rekor-cli-linux-amd64
|
|
shell: bash
|
|
if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }}
|
|
- name: Sign measurements
|
|
run: |
|
|
echo "$COSIGN_PUBLIC_KEY" > cosign.pub
|
|
# Enabling experimental mode also publishes signature to Rekor
|
|
COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY measurements.yaml > measurements.yaml.sig
|
|
# Verify - As documentation & check
|
|
# Local Signature (input: artifact, key, signature)
|
|
cosign verify-blob --key cosign.pub --signature measurements.yaml.sig measurements.yaml
|
|
# Transparency Log Signature (input: artifact, key)
|
|
uuid=$(rekor-cli search --artifact measurements.yaml | tail -n 1)
|
|
sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content)
|
|
cosign verify-blob --key cosign.pub --signature <(echo $sig) measurements.yaml
|
|
shell: bash
|
|
env:
|
|
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
|
|
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
|
|
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
|
|
if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' }}
|
|
|
|
- name: Upload to S3
|
|
run: |
|
|
IMAGE=$(yq e ".provider.${CSP}.image" constellation-conf.yaml)
|
|
S3_PATH=s3://${PUBLIC_BUCKET_NAME}/${IMAGE,,}
|
|
aws s3 cp measurements.yaml ${S3_PATH}/measurements.yaml
|
|
if test -f measurements.yaml.sig; then
|
|
aws s3 cp measurements.yaml.sig ${S3_PATH}/measurements.yaml.sig
|
|
fi
|
|
shell: bash
|
|
env:
|
|
AWS_ACCESS_KEY_ID: ${{ inputs.awsAccessKeyID }}
|
|
AWS_SECRET_ACCESS_KEY: ${{ inputs.awsSecretAccessKey }}
|
|
AWS_DEFAULT_REGION: ${{ inputs.awsDefaultRegion }}
|
|
PUBLIC_BUCKET_NAME: ${{ inputs.awsBucketName }}
|
|
CSP: ${{ inputs.cloudProvider }}
|
|
if: ${{ inputs.awsAccessKeyID != '' && inputs.awsSecretAccessKey != '' && inputs.awsDefaultRegion != '' && inputs.awsBucketName != '' }}
|