mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
b79f7d0c8c
* image: support OpenStack image build / upload * cli: add OpenStack terraform template * config: add OpenStack as CSP * versionsapi: add OpenStack as CSP * cli: add OpenStack as provider for `config generate` and `create` * disk-mapper: add basic support for boot on OpenStack * debugd: add placeholder for OpenStack * image: fix config file sourcing for image upload
246 lines
8.0 KiB
Bash
Executable File
246 lines
8.0 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Copyright (c) Edgeless Systems GmbH
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
set -euo pipefail
|
|
shopt -s inherit_errexit
|
|
|
|
if [[ -f ${CONFIG_FILE-} ]]; then
|
|
# shellcheck source=/dev/null
|
|
. "${CONFIG_FILE}"
|
|
fi
|
|
|
|
CREATE_SIG_VERSION=NO
|
|
POSITIONAL_ARGS=()
|
|
|
|
while [[ $# -gt 0 ]]; do
|
|
case $1 in
|
|
-g | --gallery)
|
|
CREATE_SIG_VERSION=YES
|
|
shift # past argument
|
|
;;
|
|
--disk-name)
|
|
AZURE_DISK_NAME="$2"
|
|
shift # past argument
|
|
shift # past value
|
|
;;
|
|
-*)
|
|
echo "Unknown option $1"
|
|
exit 1
|
|
;;
|
|
*)
|
|
POSITIONAL_ARGS+=("$1") # save positional arg
|
|
shift # past argument
|
|
;;
|
|
esac
|
|
done
|
|
|
|
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
|
|
|
|
if [[ ${AZURE_SECURITY_TYPE} == "ConfidentialVM" ]]; then
|
|
AZURE_DISK_SECURITY_TYPE=ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey
|
|
AZURE_SIG_VERSION_ENCRYPTION_TYPE=EncryptedVMGuestStateOnlyWithPmk
|
|
security_type_short_name="cvm"
|
|
elif [[ ${AZURE_SECURITY_TYPE} == "ConfidentialVMSupported" ]]; then
|
|
AZURE_DISK_SECURITY_TYPE=""
|
|
security_type_short_name="cvm"
|
|
elif [[ ${AZURE_SECURITY_TYPE} == "TrustedLaunch" ]]; then
|
|
AZURE_DISK_SECURITY_TYPE=TrustedLaunch
|
|
security_type_short_name="trustedlaunch"
|
|
else
|
|
echo "Unknown security type: ${AZURE_SECURITY_TYPE}"
|
|
exit 1
|
|
fi
|
|
|
|
AZURE_CVM_ENCRYPTION_ARGS=""
|
|
if [[ -n ${AZURE_SIG_VERSION_ENCRYPTION_TYPE-} ]]; then
|
|
AZURE_CVM_ENCRYPTION_ARGS=" --target-region-cvm-encryption "
|
|
for _ in ${AZURE_REPLICATION_REGIONS}; do
|
|
AZURE_CVM_ENCRYPTION_ARGS=" ${AZURE_CVM_ENCRYPTION_ARGS} ${AZURE_SIG_VERSION_ENCRYPTION_TYPE}, "
|
|
done
|
|
fi
|
|
echo "Replicating image in ${AZURE_REPLICATION_REGIONS}"
|
|
|
|
AZURE_VMGS_PATH=$1
|
|
if [[ -z ${AZURE_VMGS_PATH} ]] && [[ ${AZURE_SECURITY_TYPE} == "ConfidentialVM" ]]; then
|
|
echo "No VMGS path provided - using default ConfidentialVM VMGS"
|
|
AZURE_VMGS_PATH="${BLOBS_DIR}/cvm-vmgs.vhd"
|
|
elif [[ -z ${AZURE_VMGS_PATH} ]] && [[ ${AZURE_SECURITY_TYPE} == "TrustedLaunch" ]]; then
|
|
echo "No VMGS path provided - using default TrsutedLaunch VMGS"
|
|
AZURE_VMGS_PATH="${BLOBS_DIR}/trusted-launch-vmgs.vhd"
|
|
fi
|
|
|
|
SIZE=$(wc -c "${AZURE_IMAGE_PATH}" | cut -d " " -f1)
|
|
|
|
create_disk_with_vmgs() {
|
|
az disk create \
|
|
-n "${AZURE_DISK_NAME}" \
|
|
-g "${AZURE_RESOURCE_GROUP_NAME}" \
|
|
-l "${AZURE_REGION}" \
|
|
--hyper-v-generation V2 \
|
|
--os-type Linux \
|
|
--upload-size-bytes "${SIZE}" \
|
|
--sku standard_lrs \
|
|
--upload-type UploadWithSecurityData \
|
|
--security-type "${AZURE_DISK_SECURITY_TYPE}"
|
|
az disk wait --created -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}"
|
|
az disk list --output table --query "[?name == '${AZURE_DISK_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}']"
|
|
DISK_SAS=$(az disk grant-access -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}" \
|
|
--access-level Write --duration-in-seconds 86400 \
|
|
${AZURE_VMGS_PATH+"--secure-vm-guest-state-sas"})
|
|
azcopy copy "${AZURE_IMAGE_PATH}" \
|
|
"$(echo "${DISK_SAS}" | jq -r .accessSas)" \
|
|
--blob-type PageBlob
|
|
if [[ -z ${AZURE_VMGS_PATH} ]]; then
|
|
echo "No VMGS path provided - skipping VMGS upload"
|
|
else
|
|
azcopy copy "${AZURE_VMGS_PATH}" \
|
|
"$(echo "${DISK_SAS}" | jq -r .securityDataAccessSas)" \
|
|
--blob-type PageBlob
|
|
fi
|
|
az disk revoke-access -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}"
|
|
}
|
|
|
|
create_disk_without_vmgs() {
|
|
az disk create \
|
|
-n "${AZURE_DISK_NAME}" \
|
|
-g "${AZURE_RESOURCE_GROUP_NAME}" \
|
|
-l "${AZURE_REGION}" \
|
|
--hyper-v-generation V2 \
|
|
--os-type Linux \
|
|
--upload-size-bytes "${SIZE}" \
|
|
--sku standard_lrs \
|
|
--upload-type Upload
|
|
az disk wait --created -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}"
|
|
az disk list --output table --query "[?name == '${AZURE_DISK_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}']"
|
|
DISK_SAS=$(az disk grant-access -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}" \
|
|
--access-level Write --duration-in-seconds 86400)
|
|
azcopy copy "${AZURE_IMAGE_PATH}" \
|
|
"$(echo "${DISK_SAS}" | jq -r .accessSas)" \
|
|
--blob-type PageBlob
|
|
az disk revoke-access -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}"
|
|
}
|
|
|
|
create_disk() {
|
|
if [[ -z ${AZURE_VMGS_PATH} ]]; then
|
|
create_disk_without_vmgs
|
|
else
|
|
create_disk_with_vmgs
|
|
fi
|
|
}
|
|
|
|
delete_disk() {
|
|
az disk delete -y -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}"
|
|
}
|
|
|
|
create_image() {
|
|
if [[ -n ${AZURE_VMGS_PATH} ]]; then
|
|
return
|
|
fi
|
|
az image create \
|
|
--resource-group "${AZURE_RESOURCE_GROUP_NAME}" \
|
|
-l "${AZURE_REGION}" \
|
|
-n "${AZURE_DISK_NAME}" \
|
|
--hyper-v-generation V2 \
|
|
--os-type Linux \
|
|
--source "$(az disk list --query "[?name == '${AZURE_DISK_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" --output tsv)"
|
|
}
|
|
|
|
delete_image() {
|
|
if [[ -n ${AZURE_VMGS_PATH} ]]; then
|
|
return
|
|
fi
|
|
az image delete -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}"
|
|
}
|
|
|
|
# shellcheck disable=SC2086
|
|
create_sig_version() {
|
|
if [[ -n ${AZURE_VMGS_PATH} ]]; then
|
|
local DISK
|
|
DISK="$(az disk list --query "[?name == '${AZURE_DISK_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" --output tsv)"
|
|
local SOURCE="--os-snapshot ${DISK}"
|
|
else
|
|
local IMAGE
|
|
IMAGE="$(az image list --query "[?name == '${AZURE_DISK_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" --output tsv)"
|
|
local SOURCE="--managed-image ${IMAGE}"
|
|
fi
|
|
az sig create -l "${AZURE_REGION}" --gallery-name "${AZURE_GALLERY_NAME}" --resource-group "${AZURE_RESOURCE_GROUP_NAME}" || true
|
|
az sig image-definition create \
|
|
--resource-group "${AZURE_RESOURCE_GROUP_NAME}" \
|
|
-l "${AZURE_REGION}" \
|
|
--gallery-name "${AZURE_GALLERY_NAME}" \
|
|
--gallery-image-definition "${AZURE_IMAGE_DEFINITION}" \
|
|
--publisher "${AZURE_PUBLISHER}" \
|
|
--offer "${AZURE_IMAGE_OFFER}" \
|
|
--sku "${AZURE_SKU}" \
|
|
--os-type Linux \
|
|
--os-state generalized \
|
|
--hyper-v-generation V2 \
|
|
--features SecurityType="${AZURE_SECURITY_TYPE}" || true
|
|
az sig image-version create \
|
|
--resource-group "${AZURE_RESOURCE_GROUP_NAME}" \
|
|
-l "${AZURE_REGION}" \
|
|
--gallery-name "${AZURE_GALLERY_NAME}" \
|
|
--gallery-image-definition "${AZURE_IMAGE_DEFINITION}" \
|
|
--gallery-image-version "${AZURE_IMAGE_VERSION}" \
|
|
--target-regions ${AZURE_REPLICATION_REGIONS} \
|
|
${AZURE_CVM_ENCRYPTION_ARGS} \
|
|
--replica-count 1 \
|
|
--replication-mode Full \
|
|
${SOURCE}
|
|
}
|
|
|
|
get_image_version_reference() {
|
|
local is_community_gallery
|
|
is_community_gallery=$(az sig show --gallery-name "${AZURE_GALLERY_NAME}" \
|
|
--resource-group "${AZURE_RESOURCE_GROUP_NAME}" \
|
|
--query 'sharingProfile.communityGalleryInfo.communityGalleryEnabled' \
|
|
-o tsv)
|
|
if [[ ${is_community_gallery} == "true" ]]; then
|
|
get_community_image_version_reference
|
|
return
|
|
fi
|
|
get_unshared_image_version_reference
|
|
}
|
|
|
|
get_community_image_version_reference() {
|
|
local communityGalleryName
|
|
communityGalleryName=$(az sig show --gallery-name "${AZURE_GALLERY_NAME}" \
|
|
--resource-group "${AZURE_RESOURCE_GROUP_NAME}" \
|
|
--query 'sharingProfile.communityGalleryInfo.publicNames[0]' \
|
|
-o tsv)
|
|
az sig image-version show-community \
|
|
--public-gallery-name "${communityGalleryName}" \
|
|
--gallery-image-definition "${AZURE_IMAGE_DEFINITION}" \
|
|
--gallery-image-version "${AZURE_IMAGE_VERSION}" \
|
|
--location "${AZURE_REGION}" \
|
|
--query 'uniqueId' \
|
|
-o tsv
|
|
}
|
|
|
|
get_unshared_image_version_reference() {
|
|
az sig image-version show \
|
|
--resource-group "${AZURE_RESOURCE_GROUP_NAME}" \
|
|
--gallery-name "${AZURE_GALLERY_NAME}" \
|
|
--gallery-image-definition "${AZURE_IMAGE_DEFINITION}" \
|
|
--gallery-image-version "${AZURE_IMAGE_VERSION}" \
|
|
--query id --output tsv
|
|
}
|
|
|
|
create_disk
|
|
|
|
if [[ ${CREATE_SIG_VERSION} == "YES" ]]; then
|
|
create_image
|
|
create_sig_version
|
|
delete_image
|
|
delete_disk
|
|
fi
|
|
|
|
image_reference=$(get_image_version_reference)
|
|
json=$(jq -ncS \
|
|
--arg security_type "${security_type_short_name}" \
|
|
--arg image_reference "${image_reference}" \
|
|
'{"azure": {($security_type): $image_reference}}')
|
|
echo -n "${json}" > "${AZURE_JSON_OUTPUT}"
|