mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
f604a8dfd2
The TCP versions are extracted from the MAA token, that itself is taken from the verify command output. The configapi is adapted to directly work on the MAA claims JSON. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
102 lines
3.4 KiB
YAML
102 lines
3.4 KiB
YAML
name: Constellation verify
|
|
description: "Verify a Constellation cluster."
|
|
|
|
inputs:
|
|
osImage:
|
|
description: "The OS image used in the cluster."
|
|
required: true
|
|
cloudProvider:
|
|
description: "The cloud provider used in the cluster."
|
|
required: true
|
|
kubeconfig:
|
|
description: "The kubeconfig file for the cluster."
|
|
required: true
|
|
cosignPassword:
|
|
required: true
|
|
description: "The password for the cosign private key."
|
|
cosignPrivateKey:
|
|
required: true
|
|
description: "The cosign private key."
|
|
|
|
runs:
|
|
using: "composite"
|
|
steps:
|
|
- name: Expand version path
|
|
id: expand-version
|
|
uses: ./.github/actions/shortname
|
|
with:
|
|
shortname: ${{ inputs.osImage }}
|
|
|
|
- name: Constellation fetch measurements
|
|
shell: bash
|
|
run: |
|
|
if [[ ${{ steps.expand-version.outputs.stream }} == "debug" ]]
|
|
then
|
|
constellation config fetch-measurements --insecure
|
|
else
|
|
constellation config fetch-measurements
|
|
fi
|
|
|
|
- name: Constellation verify
|
|
shell: bash
|
|
run: constellation verify --cluster-id $(jq -r ".clusterID" constellation-id.json) --force
|
|
|
|
- name: Verify all nodes
|
|
shell: bash
|
|
env:
|
|
KUBECONFIG: ${{ inputs.kubeconfig }}
|
|
run: |
|
|
clusterID=$(jq -r ".clusterID" constellation-id.json)
|
|
nodes=$(kubectl get nodes -o json | jq -r ".items[].metadata.name")
|
|
|
|
for node in $nodes ; do
|
|
verificationPod=$(kubectl get pods --field-selector spec.nodeName=${node} -n kube-system | grep "verification-service" | cut -d' ' -f1)
|
|
|
|
mapfile -t verificationPod <<< "$verificationPod"
|
|
|
|
if [[ ${#verificationPod[@]} -ne 1 ]]; then
|
|
echo "Expected 1 verification pod for node ${node}, found ${#verificationPodArray[@]}"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Verifying pod ${verificationPod} on node ${node}"
|
|
|
|
kubectl wait -n kube-system "pod/${verificationPod}" --for=condition=ready --timeout=5m
|
|
kubectl port-forward -n kube-system "pods/${verificationPod}" 9090:9090 &
|
|
forwarderPID=$!
|
|
sleep 5
|
|
|
|
verifyOut=$(constellation verify --cluster-id "${clusterID}" --force --node-endpoint localhost:9090)
|
|
|
|
kill $forwarderPID
|
|
|
|
if [[ ${{ inputs.cloudProvider }} != "azure" ]]; then
|
|
continue
|
|
fi
|
|
|
|
echo "Extracting TCB versions for API update"
|
|
startMAAToken="Microsoft Azure Attestation Token:"
|
|
endMAAToken="Verification OK"
|
|
sed -n "/${startMAAToken}/,/${endMAAToken}/ { /${startMAAToken}/d; /${endMAAToken}/d; p }" <<< "${verifyOut}" > "maa-claims-${node}.json"
|
|
done
|
|
|
|
- name: Login to AWS
|
|
if: github.ref_name == 'main' && inputs.cloudProvider == 'azure'
|
|
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
|
aws-region: eu-central-1
|
|
|
|
- name: Upload extracted TCBs
|
|
if: github.ref_name == 'main' && inputs.cloudProvider == 'azure'
|
|
shell: bash
|
|
env:
|
|
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
|
|
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
|
|
run: |
|
|
for file in $(ls maa-claims-*.json); do
|
|
path=$(realpath "${file}")
|
|
cat "${path}"
|
|
bazel run //hack/configapi -- --maa-claims-path "${path}"
|
|
done
|