-
Notifications
You must be signed in to change notification settings - Fork 17
Expand file tree
/
Copy pathpublish-azure-cc-enclave-docker.yaml
More file actions
288 lines (260 loc) · 11.5 KB
/
publish-azure-cc-enclave-docker.yaml
File metadata and controls
288 lines (260 loc) · 11.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
name: Publish Azure CC Operator
run-name: ${{ format('Publish {0} Azure CC Operator', inputs.release_type) }}
on:
workflow_dispatch:
inputs:
release_type:
type: choice
description: The type of release
options:
- Snapshot
- Patch
- Minor
- Major
version_number_input:
description: If set, the version number will not be incremented and the given number will be used.
type: string
default: ''
vulnerability_severity:
description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised.
type: choice
options:
- CRITICAL,HIGH
- CRITICAL,HIGH,MEDIUM
- CRITICAL (DO NOT use if JIRA ticket not raised)
workflow_call:
inputs:
release_type:
description: The type of version number to return. Must be one of [Snapshot, Patch, Minor or Major]
required: true
type: string
version_number_input:
description: If set, the version number will not be incremented and the given number will be used.
type: string
default: ''
commit_sha:
description: The commit SHA for committing the new version for pom.xml.
type: string
default: ''
vulnerability_severity:
description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. Must be one of ['CRITICAL', 'CRITICAL,HIGH' or 'CRITICAL,HIGH,MEDIUM'] (without space in between).
type: string
default: 'CRITICAL,HIGH'
outputs:
image_tag:
description: The tag used to describe the image in Docker
value: ${{ jobs.buildImage.outputs.image_tag }}
env:
REGISTRY: ghcr.io
MAVEN_PROFILE: azure
ENCLAVE_PROTOCOL: azure-cc
IMAGE_NAME: ${{ github.repository }}
DOCKER_CONTEXT_PATH: scripts/azure-cc
ARTIFACTS_OUTPUT_DIR: ${{ github.workspace }}/deployment-artifacts
MANIFEST_OUTPUT_DIR: ${{ github.workspace }}/manifest
jobs:
buildImage:
name: Build Image
runs-on: ubuntu-latest
permissions:
contents: write
security-events: write
packages: write
id-token: write
pull-requests: write
outputs:
# jar_version: ${{ steps.update_version.outputs.new_version }}
# docker_version: ${{ steps.meta.outputs.version }}
# image_tag: ${{ steps.update_version.outputs.image_tag }}
# tags: ${{ steps.meta.outputs.tags }}
# is_release: ${{ steps.update_version.outputs.is_release }}
jar_version: 5.49.9-alpha-224-SNAPSHOT
docker_version: 5.49.9-alpha-224-SNAPSHOT-azure-cc
image_tag: 5.49.9-alpha-224-SNAPSHOT-azure-cc
tags: ghcr.io/iabtechlab/uid2-operator:5.49.9-alpha-224-SNAPSHOT-azure-cc
is_release: false
steps:
# - name: Update Operator Version
# id: update_version
# uses: IABTechLab/uid2-operator/.github/actions/update_operator_version@main
# with:
# release_type: ${{ inputs.release_type }}
# version_number_input: ${{ inputs.version_number_input }}
# image_tag_suffix: ${{ env.ENCLAVE_PROTOCOL }}
# commit_sha: ${{ inputs.commit_sha }}
- name: Checkout
uses: actions/checkout@v4
- name: Set up JDK
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '21'
cache: 'maven'
# - name: Package JAR
# id: package
# run: |
# mvn -B package -P ${{ env.MAVEN_PROFILE }}
# echo "jar_version=$(mvn help:evaluate -Dexpression=project.version | grep -e '^[1-9][^\[]')" >> $GITHUB_OUTPUT
# echo "git_commit=$(git show --format="%h" --no-patch)" >> $GITHUB_OUTPUT
# cp -r target ${{ env.DOCKER_CONTEXT_PATH }}/
# cp scripts/confidential_compute.py ${{ env.DOCKER_CONTEXT_PATH }}/
# - name: Log in to the Docker container registry
# uses: docker/login-action@v3
# with:
# registry: ${{ env.REGISTRY }}
# username: ${{ github.actor }}
# password: ${{ secrets.GITHUB_TOKEN }}
# - name: Extract metadata (tags, labels) for Docker
# id: meta
# uses: docker/metadata-action@v5
# with:
# images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
# tags: |
# type=raw,value=${{ steps.update_version.outputs.image_tag }}
# - name: Build and export to Docker
# uses: docker/build-push-action@v5
# with:
# context: ${{ env.DOCKER_CONTEXT_PATH }}
# load: true
# tags: ${{ steps.meta.outputs.tags }}
# labels: ${{ steps.meta.outputs.labels }}
# build-args: |
# JAR_VERSION=${{ steps.update_version.outputs.new_version }}
# IMAGE_VERSION=${{ steps.update_version.outputs.new_version }}
# BUILD_TARGET=${{ env.ENCLAVE_PROTOCOL }}
# - name: Generate Trivy vulnerability scan report
# uses: aquasecurity/trivy-action@0.14.0
# with:
# image-ref: ${{ steps.meta.outputs.tags }}
# format: 'sarif'
# exit-code: '0'
# ignore-unfixed: true
# severity: 'CRITICAL,HIGH'
# output: 'trivy-results.sarif'
# hide-progress: true
# - name: Upload Trivy scan report to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v3
# with:
# sarif_file: 'trivy-results.sarif'
# - name: Test with Trivy vulnerability scanner
# uses: aquasecurity/trivy-action@0.14.0
# with:
# image-ref: ${{ steps.meta.outputs.tags }}
# format: 'table'
# exit-code: '1'
# ignore-unfixed: true
# severity: ${{ inputs.vulnerability_severity }}
# hide-progress: true
# - name: Push to Docker
# id: push-to-docker
# uses: docker/build-push-action@v5
# with:
# context: ${{ env.DOCKER_CONTEXT_PATH }}
# push: true
# tags: ${{ steps.meta.outputs.tags }}
# labels: ${{ steps.meta.outputs.labels }}
# build-args: |
# JAR_VERSION=${{ steps.update_version.outputs.new_version }}
# IMAGE_VERSION=${{ steps.update_version.outputs.new_version }}
azureCc:
name: Azure CC
runs-on: ubuntu-latest
env:
SCRIPTS_DIR: ./scripts/azure-cc/deployment
needs: buildImage
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Copy Azure deployment files
run: |
mkdir -p ${{ env.ARTIFACTS_OUTPUT_DIR }}
cp ${{ env.SCRIPTS_DIR }}/gateway.json \
${{ env.SCRIPTS_DIR }}/gateway.parameters.json \
${{ env.SCRIPTS_DIR }}/vault.json \
${{ env.SCRIPTS_DIR }}/vault.parameters.json \
${{ env.SCRIPTS_DIR }}/operator.json \
${{ env.SCRIPTS_DIR }}/operator.parameters.json \
${{ env.SCRIPTS_DIR }}/vnet.json \
${{ env.SCRIPTS_DIR }}/vnet.parameters.json \
${{ env.ARTIFACTS_OUTPUT_DIR }}
- name: Update operator template
env:
OPERATOR_TEMPLATE: ${{ env.ARTIFACTS_OUTPUT_DIR }}/operator.json
IMAGE: ${{ needs.buildImage.outputs.tags }}
run: |
IMAGE_VERSION=$(echo $IMAGE | awk -F':' '{print $2}')
sed -i "s#IMAGE_PLACEHOLDER#${IMAGE}#g" $OPERATOR_TEMPLATE
sed -i "s#IMAGE_VERSION_PLACEHOLDER#${IMAGE_VERSION}#g" $OPERATOR_TEMPLATE
- name: Generate ACI policy
id: aci_policy
uses: ./.github/actions/acipolicygen_cc
with:
# TODO
template_file: deployment-artifacts/operator.json
- name: Update operator template
env:
POLICY_BASE_64: ${{ env.SCRIPTS_DIR }}/policy.base64
GENERATED_REGO: ${{ env.SCRIPTS_DIR }}/generated.rego
GENERATED_REGO_BASE64: ${{ env.SCRIPTS_DIR }}/generated.rego.base64
POLICY_DIGEST_FILE: ${{ env.MANIFEST_OUTPUT_DIR }}/azure-cc-operator-digest-${{ needs.buildImage.outputs.jar_version }}.txt
OPERATOR_TEMPLATE: ${{ env.ARTIFACTS_OUTPUT_DIR }}/operator.json
run: |
echo -n ${{ steps.aci_policy.outputs.policy }} > $POLICY_BASE_64
# Export the policy, update it to turn off allow_environment_variable_dropping, and then insert it into the template.
# Note that the EnclaveId is generated by sha256sum on the raw policy, not the base64 version.
base64 --decode $POLICY_BASE_64 > $GENERATED_REGO
sed -i "s#allow_environment_variable_dropping := true#allow_environment_variable_dropping := false#g" $GENERATED_REGO
# Generate the SHA256 hash of modified policy and write the hash to the policy digest file.
GENERATED_REGO_SHA256=$(sha256sum $GENERATED_REGO | cut -d ' ' -f 1)
mkdir -p `dirname $POLICY_DIGEST_FILE`
echo $GENERATED_REGO_SHA256 > $POLICY_DIGEST_FILE
# Insert the base64-encoded modified policy into the template.
cp $OPERATOR_TEMPLATE /tmp/source.json
base64 --wrap=0 $GENERATED_REGO > $GENERATED_REGO_BASE64
jq --arg policy $(cat $GENERATED_REGO_BASE64) '.resources[].properties.confidentialComputeProperties.ccePolicy = $policy' /tmp/source.json > $OPERATOR_TEMPLATE
- name: Upload deployment artifacts
uses: actions/upload-artifact@v4
with:
name: azure-cc-deployment-files-${{ needs.buildImage.outputs.jar_version }}
path: ${{ env.ARTIFACTS_OUTPUT_DIR }}
if-no-files-found: error
- name: Upload manifest
uses: actions/upload-artifact@v4
with:
name: azure-cc-enclave-id-${{ needs.buildImage.outputs.jar_version }}
path: ${{ env.MANIFEST_OUTPUT_DIR }}
if-no-files-found: error
- name: Generate release archive
if: ${{ inputs.version_number_input == '' && needs.buildImage.outputs.is_release == 'true' }}
run: |
zip -j ${{ env.ARTIFACTS_OUTPUT_DIR }}/uid2-operator-deployment-artifacts-${{ needs.buildImage.outputs.docker_version }}.zip ${{ env.ARTIFACTS_OUTPUT_DIR }}/*
- name: Build changelog
id: github_release
if: ${{ inputs.version_number_input == '' && needs.buildImage.outputs.is_release == 'true' }}
uses: mikepenz/release-changelog-builder-action@v4
with:
configurationJson: |
{
"template": "#{{CHANGELOG}}\n## Installation\n```\ndocker pull ${{ needs.buildImage.outputs.tags }}\n```\n\n## Image reference to deploy: \n```\n${{ needs.buildImage.outputs.image_tag }}\n```\n\n## Changelog\n#{{UNCATEGORIZED}}",
"pr_template": " - #{{TITLE}} - ( PR: ##{{NUMBER}} )"
}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Create release
if: ${{ inputs.version_number_input == '' && needs.buildImage.outputs.is_release == 'true' }}
uses: softprops/action-gh-release@v2
with:
name: ${{ needs.buildImage.outputs.jar_version }}
body: ${{ steps.github_release.outputs.changelog }}
draft: true
files: |
${{ env.ARTIFACTS_OUTPUT_DIR }}/uid2-operator-deployment-artifacts-${{ needs.buildImage.outputs.jar_version }}.zip
${{ env.MANIFEST_OUTPUT_DIR }}/azure-cc-operator-digest-${{ needs.buildImage.outputs.jar_version }}.txt
# e2e:
# name: E2E
# uses: ./.github/workflows/run-e2e-tests-on-operator.yaml
# needs: [buildImage, azureCc]
# with:
# operator_type: azure
# operator_image_version: ${{ needs.buildImage.outputs.image_tag }}
# secrets: inherit