mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-25 23:49:37 -05:00
b79f7d0c8c
* image: support OpenStack image build / upload * cli: add OpenStack terraform template * config: add OpenStack as CSP * versionsapi: add OpenStack as CSP * cli: add OpenStack as provider for `config generate` and `create` * disk-mapper: add basic support for boot on OpenStack * debugd: add placeholder for OpenStack * image: fix config file sourcing for image upload
308 lines
13 KiB
YAML
308 lines
13 KiB
YAML
name: Determine OS image upload variables
|
|
description: "Determine parameters used for image upload to various CSPs."
|
|
inputs:
|
|
csp:
|
|
description: "Cloud Service Provider"
|
|
required: true
|
|
uploadVariant:
|
|
description: "Upload variant"
|
|
required: true
|
|
basePath:
|
|
description: "Base path to the image build directory"
|
|
required: true
|
|
ref:
|
|
description: "Branch of the image to be built (or '-' for releases)"
|
|
required: true
|
|
stream:
|
|
description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)"
|
|
required: true
|
|
imageVersion:
|
|
description: "Semantic version including patch e.g. v<major>.<minor>.<patch> or pseudo version"
|
|
required: false
|
|
imageType:
|
|
description: "Type of image to build"
|
|
required: true
|
|
debug:
|
|
description: "Build debug image"
|
|
required: false
|
|
default: "false"
|
|
outputs:
|
|
awsRegion:
|
|
description: "Primary AWS region"
|
|
value: ${{ steps.aws.outputs.region }}
|
|
awsReplicationRegions:
|
|
description: "AWS regions to replicate the image to"
|
|
value: ${{ steps.aws.outputs.replicationRegions }}
|
|
awsBucket:
|
|
description: "AWS S3 bucket to upload the image to"
|
|
value: ${{ steps.aws.outputs.bucket }}
|
|
awsEfivarsPath:
|
|
description: "AWS efivars path"
|
|
value: ${{ steps.aws.outputs.efivarsPath }}
|
|
awsImagePath:
|
|
description: "AWS image path"
|
|
value: ${{ steps.aws.outputs.imagePath }}
|
|
awsJsonOutput:
|
|
description: "AWS ami json output path"
|
|
value: ${{ steps.aws.outputs.jsonOutput }}
|
|
awsImageFilename:
|
|
description: "AWS raw image filename"
|
|
value: ${{ steps.aws.outputs.imageFilename }}
|
|
awsImageName:
|
|
description: "AWS image name"
|
|
value: ${{ steps.aws.outputs.imageName }}
|
|
awsPublish:
|
|
description: "Should AWS AMI be published"
|
|
value: ${{ steps.aws.outputs.publish }}
|
|
azureResourceGroupName:
|
|
description: "Azure resource group name"
|
|
value: ${{ steps.azure.outputs.resourceGroupName }}
|
|
azureRegion:
|
|
description: "Primary Azure region"
|
|
value: ${{ steps.azure.outputs.region }}
|
|
azureReplicationRegions:
|
|
description: "Azure regions to replicate the image to"
|
|
value: ${{ steps.azure.outputs.replicationRegions }}
|
|
azureVmgsRegion:
|
|
description: "Azure VMGS region (AWS S3 bucket region where VMGS blob is stored)"
|
|
value: ${{ steps.azure.outputs.vmgsRegion }}
|
|
azureSku:
|
|
description: "Azure SIG SKU"
|
|
value: ${{ steps.azure.outputs.sku }}
|
|
azurePublisher:
|
|
description: "Azure SIG publisher"
|
|
value: ${{ steps.azure.outputs.publisher }}
|
|
azureRawImagePath:
|
|
description: "Azure raw image path"
|
|
value: ${{ steps.azure.outputs.rawImagePath }}
|
|
azureImagePath:
|
|
description: "Azure image path"
|
|
value: ${{ steps.azure.outputs.imagePath }}
|
|
azureJsonOutput:
|
|
description: "Azure image json output path"
|
|
value: ${{ steps.azure.outputs.jsonOutput }}
|
|
azureSecurityType:
|
|
description: "Azure security type"
|
|
value: ${{ steps.azure.outputs.securityType }}
|
|
azureDiskName:
|
|
description: "Azure disk name"
|
|
value: ${{ steps.azure.outputs.diskName }}
|
|
azureImageDefinition:
|
|
description: "Azure image definition"
|
|
value: ${{ steps.azure.outputs.imageDefinition }}
|
|
azureImageOffer:
|
|
description: "Azure image offer"
|
|
value: ${{ steps.azure.outputs.imageOffer }}
|
|
azureImageVersion:
|
|
description: "Azure image version"
|
|
value: ${{ steps.azure.outputs.imageVersion }}
|
|
azureGalleryName:
|
|
description: "Azure gallery name"
|
|
value: ${{ steps.azure.outputs.galleryName }}
|
|
azureVmgsPath:
|
|
description: "Azure VMGS path"
|
|
value: ${{ steps.azure.outputs.vmgsPath }}
|
|
gcpProject:
|
|
description: "GCP project"
|
|
value: ${{ steps.gcp.outputs.project }}
|
|
gcpBucket:
|
|
description: "GCP bucket"
|
|
value: ${{ steps.gcp.outputs.bucket }}
|
|
gcpRegion:
|
|
description: "GCP region"
|
|
value: ${{ steps.gcp.outputs.region }}
|
|
gcpRawImagePath:
|
|
description: "GCP raw image path"
|
|
value: ${{ steps.gcp.outputs.rawImagePath }}
|
|
gcpImagePath:
|
|
description: "GCP image path"
|
|
value: ${{ steps.gcp.outputs.imagePath }}
|
|
gcpJsonOutput:
|
|
description: "GCP image json output path"
|
|
value: ${{ steps.gcp.outputs.jsonOutput }}
|
|
gcpImageName:
|
|
description: "GCP image name"
|
|
value: ${{ steps.gcp.outputs.imageName }}
|
|
gcpImageFilename:
|
|
description: "GCP image filename"
|
|
value: ${{ steps.gcp.outputs.imageFilename }}
|
|
gcpImageFamily:
|
|
description: "GCP image family"
|
|
value: ${{ steps.gcp.outputs.imageFamily }}
|
|
openStackJsonOutput:
|
|
description: "OpenStack image json output path"
|
|
value: ${{ steps.openstack.outputs.jsonOutput }}
|
|
openStackBucket:
|
|
description: "OpenStack S3 bucket"
|
|
value: ${{ steps.openstack.outputs.bucket }}
|
|
openStackBaseUrl:
|
|
description: "OpenStack raw image base URL"
|
|
value: ${{ steps.openstack.outputs.baseUrl }}
|
|
openStackImagePath:
|
|
description: "OpenStack image path"
|
|
value: ${{ steps.openstack.outputs.imagePath }}
|
|
qemuJsonOutput:
|
|
description: "QEMU image json output path"
|
|
value: ${{ steps.qemu.outputs.jsonOutput }}
|
|
qemuBucket:
|
|
description: "QEMU S3 bucket"
|
|
value: ${{ steps.qemu.outputs.bucket }}
|
|
qemuBaseUrl:
|
|
description: "QEMU raw image base URL"
|
|
value: ${{ steps.qemu.outputs.baseUrl }}
|
|
qemuImagePath:
|
|
description: "QEMU image path"
|
|
value: ${{ steps.qemu.outputs.imagePath }}
|
|
|
|
runs:
|
|
using: "composite"
|
|
steps:
|
|
- name: Determine version
|
|
id: version
|
|
uses: ./.github/actions/pseudo_version
|
|
|
|
- name: Configure AWS input variables
|
|
id: aws
|
|
if: inputs.csp == 'aws'
|
|
shell: bash
|
|
env:
|
|
basePath: ${{ inputs.basePath }}
|
|
ref: ${{ inputs.ref }}
|
|
stream: ${{ inputs.stream }}
|
|
imageVersion: ${{ inputs.imageVersion }}
|
|
imageType: ${{ inputs.imageType }}
|
|
timestamp: ${{ steps.version.outputs.timestamp }}
|
|
semver: ${{ steps.version.outputs.semanticVersion }}
|
|
run: |
|
|
echo "region=eu-central-1" >> $GITHUB_OUTPUT
|
|
echo "replicationRegions=us-east-2 ap-south-1" >> $GITHUB_OUTPUT
|
|
echo "bucket=constellation-images" >> $GITHUB_OUTPUT
|
|
echo "efivarsPath=${basePath}/mkosi.output.aws/fedora~37/efivars.bin" >> $GITHUB_OUTPUT
|
|
echo "imagePath=${basePath}/mkosi.output.aws/fedora~37/image.raw" >> $GITHUB_OUTPUT
|
|
echo "jsonOutput=${basePath}/mkosi.output.aws/fedora~37/image-upload.json" >> $GITHUB_OUTPUT
|
|
echo "imageFilename=image-$(date +%s).raw" >> $GITHUB_OUTPUT
|
|
if [[ "${stream}" = "stable" ]]
|
|
then
|
|
echo "imageName=constellation-${imageVersion}" >> $GITHUB_OUTPUT
|
|
echo "publish=true" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "imageName=constellation-${ref}-${stream}-${semver}-${timestamp}" >> $GITHUB_OUTPUT
|
|
echo "publish=false" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
# gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character
|
|
# image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character
|
|
# image version has to be semantic version in the form <uint>.<uint>.<uint> . uint may not be larger than 2,147,483,647
|
|
- name: Configure Azure input variables
|
|
id: azure
|
|
if: inputs.csp == 'azure'
|
|
shell: bash
|
|
env:
|
|
basePath: ${{ inputs.basePath }}
|
|
ref: ${{ inputs.ref }}
|
|
stream: ${{ inputs.stream }}
|
|
imageVersion: ${{ inputs.imageVersion }}
|
|
imageType: ${{ inputs.imageType }}
|
|
timestamp: ${{ steps.version.outputs.timestamp }}
|
|
semver: ${{ steps.version.outputs.semanticVersion }}
|
|
pseudover: ${{ steps.version.outputs.pseudoVersion }}
|
|
branchName: ${{ steps.version.outputs.branchName }}
|
|
uploadVariant: ${{ inputs.uploadVariant }}
|
|
run: |
|
|
echo "resourceGroupName=constellation-images" >> $GITHUB_OUTPUT
|
|
echo "region=northeurope" >> $GITHUB_OUTPUT
|
|
echo "vmgsRegion=eu-central-1" >> $GITHUB_OUTPUT
|
|
echo "replicationRegions=northeurope eastus westeurope westus" >> $GITHUB_OUTPUT
|
|
echo "sku=constellation" >> $GITHUB_OUTPUT
|
|
echo "publisher=edgelesssys" >> $GITHUB_OUTPUT
|
|
echo "rawImagePath=${basePath}/mkosi.output.azure/fedora~37/image.raw" >> $GITHUB_OUTPUT
|
|
echo "imagePath=${basePath}/mkosi.output.azure/fedora~37/image.vhd" >> $GITHUB_OUTPUT
|
|
echo "jsonOutput=${basePath}/mkosi.output.azure/fedora~37/image-upload${uploadVariant}.json" >> $GITHUB_OUTPUT
|
|
# TODO: set default security type to "ConfidentialVM" once replication is possible
|
|
securityType=${{ inputs.uploadVariant }}
|
|
if [[ -z "${securityType}" ]]; then
|
|
securityType=ConfidentialVMSupported
|
|
fi
|
|
echo "securityType=${securityType}" >> $GITHUB_OUTPUT
|
|
echo "diskName=constellation-${stream}-${timestamp}-${securityType,,}" >> $GITHUB_OUTPUT
|
|
if [[ "${stream}" = "stable" ]]
|
|
then
|
|
echo "imageDefinition=constellation" >> $GITHUB_OUTPUT
|
|
echo "imageOffer=constellation" >> $GITHUB_OUTPUT
|
|
echo "imageVersion=${imageVersion:1}" >> $GITHUB_OUTPUT
|
|
galleryName=Constellation
|
|
elif [[ "${imageType}" = "debug" && ( "${ref}" = "-" || "${ref}" = "main" ) ]]
|
|
then
|
|
echo "imageDefinition=${semver}" >> $GITHUB_OUTPUT
|
|
echo "imageOffer=${semver}" >> $GITHUB_OUTPUT
|
|
echo "imageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_OUTPUT
|
|
galleryName=Constellation_Debug
|
|
else
|
|
echo "imageDefinition=${ref}-${stream}" >> $GITHUB_OUTPUT
|
|
echo "imageOffer=${ref}-${stream}" >> $GITHUB_OUTPUT
|
|
echo "imageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_OUTPUT
|
|
galleryName=Constellation_Testing
|
|
fi
|
|
# TODO: enable VMGS upload for ConfidentialVM images once replication is possible
|
|
if [[ "${securityType}" == "ConfidentialVMSupported" ]]; then
|
|
echo "galleryName=${galleryName}_CVM" >> $GITHUB_OUTPUT
|
|
echo "vmgsPath=" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "galleryName=${galleryName}" >> $GITHUB_OUTPUT
|
|
echo "vmgsPath=${basePath}/pki/${securityType}.vmgs" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
# image family and image name may include lowercase alphanumeric characters and dashes.
|
|
# Must not end or begin with a dash
|
|
- name: Configure GCP input variables
|
|
id: gcp
|
|
if: inputs.csp == 'gcp'
|
|
shell: bash
|
|
env:
|
|
basePath: ${{ inputs.basePath }}
|
|
ref: ${{ inputs.ref }}
|
|
stream: ${{ inputs.stream }}
|
|
imageVersion: ${{ inputs.imageVersion }}
|
|
imageType: ${{ inputs.imageType }}
|
|
timestamp: ${{ steps.version.outputs.timestamp }}
|
|
semver: ${{ steps.version.outputs.semanticVersion }}
|
|
run: |
|
|
echo "project=constellation-images" >> $GITHUB_OUTPUT
|
|
echo "bucket=constellation-images" >> $GITHUB_OUTPUT
|
|
echo "region=europe-west3" >> $GITHUB_OUTPUT
|
|
echo "rawImagePath=${basePath}/mkosi.output.gcp/fedora~37/image.raw" >> $GITHUB_OUTPUT
|
|
echo "imagePath=${basePath}/mkosi.output.gcp/fedora~37/image.tar.gz" >> $GITHUB_OUTPUT
|
|
echo "jsonOutput=${basePath}/mkosi.output.gcp/fedora~37/image-upload.json" >> $GITHUB_OUTPUT
|
|
echo "imageName=${imageVersion//./-}-${stream}" >> $GITHUB_OUTPUT
|
|
echo "imageFilename=${imageVersion//./-}-${stream}.tar.gz" >> $GITHUB_OUTPUT
|
|
if [[ "${stream}" = "stable" ]]
|
|
then
|
|
echo "imageFamily=constellation" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "imageFamily=constellation-${ref::45}" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
- name: Configure OpenStack input variables
|
|
id: openstack
|
|
if: inputs.csp == 'openstack'
|
|
shell: bash
|
|
env:
|
|
basePath: ${{ inputs.basePath }}
|
|
run: |
|
|
echo "bucket=cdn-constellation-backend" >> $GITHUB_OUTPUT
|
|
echo "baseUrl=https://cdn.confidential.cloud" >> $GITHUB_OUTPUT
|
|
echo "imagePath=${basePath}/mkosi.output.openstack/fedora~37/image.raw" >> $GITHUB_OUTPUT
|
|
echo "jsonOutput=${basePath}/mkosi.output.openstack/fedora~37/image-upload.json" >> $GITHUB_OUTPUT
|
|
|
|
- name: Configure QEMU input variables
|
|
id: qemu
|
|
if: inputs.csp == 'qemu'
|
|
shell: bash
|
|
env:
|
|
basePath: ${{ inputs.basePath }}
|
|
run: |
|
|
echo "bucket=cdn-constellation-backend" >> $GITHUB_OUTPUT
|
|
echo "baseUrl=https://cdn.confidential.cloud" >> $GITHUB_OUTPUT
|
|
echo "imagePath=${basePath}/mkosi.output.qemu/fedora~37/image.raw" >> $GITHUB_OUTPUT
|
|
echo "jsonOutput=${basePath}/mkosi.output.qemu/fedora~37/image-upload.json" >> $GITHUB_OUTPUT
|