ci: encrypt artifacts (#2567)

edgelesssys · Dec 20, 2023 · a429ca5 · a429ca5
1 parent 0e84c6c
commit a429ca5
Show file tree

Hide file tree

Showing 18 changed files with 224 additions and 48 deletions.
diff --git a/.github/actions/artifact_download/action.yml b/.github/actions/artifact_download/action.yml
@@ -0,0 +1,39 @@
+name: Download artifact
+description: Download and decrypt an artifact.
+
+inputs:
+  name:
+    description: 'The name of the artifact.'
+    required: true
+  path:
+    description: 'Download to a specified path.'
+    required: false
+    default: ./
+  encryption-secret:
+    description: 'The secret to use for decrypting the artifact.'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install unzip
+      uses: ./.github/actions/setup_bazel_nix
+      with:
+        nixTools: |
+          unzip
+
+    - name: Create temporary directory
+      id: tempdir
+      shell: bash
+      run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"
+
+    - name: Download the artifact
+      uses: actions/download-artifact@v3
+      with:
+        name: ${{ inputs.name }}
+        path: ${{ steps.tempdir.outputs.directory }}
+
+    - name: Decrypt and unzip archive
+      shell: bash
+      run: |
+        unzip -P '${{ inputs.encryption-secret }}' -qq -d ${{ inputs.path }} ${{ steps.tempdir.outputs.directory }}/archive.zip
diff --git a/.github/actions/artifact_upload/action.yml b/.github/actions/artifact_upload/action.yml
@@ -0,0 +1,60 @@
+name: Upload artifact
+description: Upload an encrypted zip archive as a github artifact.
+
+inputs:
+  path:
+    description: 'The path(s) that should be uploaded. Those are evaluated with bash and the extglob option.'
+    required: true
+  name:
+    description: 'The name of the artifact.'
+    required: true
+  retention-days:
+    description: 'How long the artifact should be retained for.'
+    default: 60
+  encryption-secret:
+    description: 'The secret to use for encrypting the files.'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install zip
+      uses: ./.github/actions/setup_bazel_nix
+      with:
+        nixTools: |
+          zip
+
+    - name: Create temporary directory
+      id: tempdir
+      shell: bash
+      run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"
+
+    - name: Create archive
+      shell: bash
+      run: |
+        shopt -s extglob
+
+        # Check if any file matches the given pattern(s).
+        something_exists=false
+        for pattern in ${{ inputs.path }}; do
+          if compgen -G $pattern > /dev/null; then
+            something_exists=true
+          fi
+        done
+
+        # Create an archive if files exist.
+        # Don't create an archive file if no files are found
+        # and warn.
+        if $something_exists; then
+          zip -e -P '${{ inputs.encryption-secret }}' -qq -r ${{ steps.tempdir.outputs.directory }}/archive.zip ${{ inputs.path }}
+        else
+          echo "::warning:: No files/directories found with the provided path(s) $(echo -n ${{ inputs.path }}). No artifact will be uploaded."
+        fi
+
+    - name: Upload archive as artifact
+      uses: actions/upload-artifact@v3
+      with:
+        name: ${{ inputs.name }}
+        path: ${{ steps.tempdir.outputs.directory }}/archive.zip
+        retention-days: ${{ inputs.retention-days }}
+        if-no-files-found: ignore
diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml
@@ -59,6 +59,9 @@ inputs:
   force:
     description: "Set the force-flag on apply to ignore version mismatches."
     required: false
+  encryption-secret:
+    description: "The secret to use for encrypting the artifact."
+    required: true
 
 outputs:
   kubeconfig:
@@ -259,9 +262,9 @@ runs:
     - name: Upload boot logs
       if: always() && !env.ACT
       continue-on-error: true
-      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      uses: ./.github/actions/artifact_upload
       with:
         name: serial-logs-${{ inputs.artifactNameSuffix }}
-        path: |
-          *.log
-          !terraform.log
+        path: >
+          !(terraform).log
+        encryption-secret: ${{ inputs.encryption-secret }}
diff --git a/.github/actions/download_release_binaries/action.yml b/.github/actions/download_release_binaries/action.yml
@@ -1,55 +1,69 @@
 name: Download release binaries
 description: "Downloads all binaries created by a different job (and therefore not available in this job) in the release pipeline."
+inputs:
+  encryption-secret:
+    description: 'The secret to use for decrypting the artifact.'
+    required: true
 
 runs:
   using: "composite"
   steps:
     - name: Download CLI binaries darwin-amd64
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: ./.github/actions/artifact_download
       with:
         name: constellation-darwin-amd64
+        encryption-secret: ${{ inputs.encryption-secret }}
 
     - name: Download CLI binaries darwin-arm64
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: ./.github/actions/artifact_download
       with:
         name: constellation-darwin-arm64
+        encryption-secret: ${{ inputs.encryption-secret }}
 
     - name: Download CLI binaries linux-amd64
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: ./.github/actions/artifact_download
       with:
         name: constellation-linux-amd64
+        encryption-secret: ${{ inputs.encryption-secret }}
 
     - name: Download CLI binaries linux-arm64
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: ./.github/actions/artifact_download
       with:
         name: constellation-linux-arm64
+        encryption-secret: ${{ inputs.encryption-secret }}
 
     - name: Download CLI binaries windows-amd64
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: ./.github/actions/artifact_download
       with:
         name: constellation-windows-amd64
+        encryption-secret: ${{ inputs.encryption-secret }}
 
     - name: Download Terraform module
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: ./.github/actions/artifact_download
       with:
         name: terraform-module
+        encryption-secret: ${{ inputs.encryption-secret }}
 
     - name: Download Terraform provider binary darwin-amd64
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: ./.github/actions/artifact_download
       with:
         name: terraform-provider-constellation-darwin-amd64
+        encryption-secret: ${{ inputs.encryption-secret }}
 
     - name: Download Terraform provider binary darwin-arm64
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: ./.github/actions/artifact_download
       with:
         name: terraform-provider-constellation-darwin-arm64
+        encryption-secret: ${{ inputs.encryption-secret }}
 
     - name: Download Terraform provider binary linux-amd64
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: ./.github/actions/artifact_download
       with:
         name: terraform-provider-constellation-linux-amd64
+        encryption-secret: ${{ inputs.encryption-secret }}
 
     - name: Download Terraform provider binary linux-arm64
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      uses: ./.github/actions/artifact_download
       with:
         name: terraform-provider-constellation-linux-arm64
+        encryption-secret: ${{ inputs.encryption-secret }}
diff --git a/.github/actions/e2e_benchmark/action.yml b/.github/actions/e2e_benchmark/action.yml
@@ -17,6 +17,9 @@ inputs:
   awsOpenSearchPwd:
     description: "AWS OpenSearch Password to upload the results."
     required: false
+  encryption-secret:
+    description: 'The secret to use for encrypting the artifact.'
+    required: true
 
 runs:
   using: "composite"
@@ -93,10 +96,11 @@ runs:
 
     - name: Upload raw FIO benchmark results
       if: (!env.ACT)
-      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      uses: ./.github/actions/artifact_upload
       with:
         path: "out/fio-constellation-${{ inputs.cloudProvider }}.json"
         name: "fio-constellation-${{ inputs.cloudProvider }}.json"
+        encryption-secret: ${{ inputs.encryption-secret }}
 
     - name: Run knb benchmark
       shell: bash
@@ -114,10 +118,11 @@ runs:
 
     - name: Upload raw knb benchmark results
       if: (!env.ACT)
-      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      uses: ./.github/actions/artifact_upload
       with:
         path: "out/knb-constellation-${{ inputs.cloudProvider }}.json"
         name: "knb-constellation-${{ inputs.cloudProvider }}.json"
+        encryption-secret: ${{ inputs.encryption-secret }}
 
     - name: Assume AWS role to retrieve and update benchmarks in S3
       uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
@@ -166,11 +171,12 @@ runs:
 
     - name: Upload benchmark results to action run
       if: (!env.ACT)
-      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      uses: ./.github/actions/artifact_upload
       with:
-        path: |
+        path: >
           benchmarks/constellation-${{ inputs.cloudProvider }}.json
         name: "benchmarks"
+        encryption-secret: ${{ inputs.encryption-secret }}
 
     - name: Upload benchmark results to opensearch
       if: (!env.ACT)

diff --git a/.github/actions/e2e_sonobuoy/action.yml b/.github/actions/e2e_sonobuoy/action.yml
@@ -11,6 +11,9 @@ inputs:
   kubeconfig:
     description: "The kubeconfig of the cluster to test."
     required: true
+  encryption-secret:
+    description: 'The secret to use for encrypting the artifact.'
+    required: true
 
 runs:
   using: "composite"
@@ -44,10 +47,11 @@ runs:
 
     - name: Upload test results
       if: always() && !env.ACT
-      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      uses: ./.github/actions/artifact_upload
       with:
         name: "sonobuoy-logs-${{ inputs.artifactNameSuffix }}.tar.gz"
         path: "*_sonobuoy_*.tar.gz"
+        encryption-secret: ${{ inputs.encryption-secret }}
 
     # Only works on "sonobuoy full" tests (e2e plugin)
     - name: Extract test results

diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml
@@ -86,6 +86,9 @@ inputs:
   force:
     description: "Set the force-flag on apply to ignore version mismatches."
     required: false
+  encryption-secret:
+    description: 'The secret to use for decrypting the artifact.'
+    required: true
 
 outputs:
   kubeconfig:
@@ -296,6 +299,7 @@ runs:
         clusterCreation: ${{ inputs.clusterCreation }}
         marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
         force: ${{ inputs.force }}
+        encryption-secret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
 
     - name: Deploy log- and metrics-collection (Kubernetes)
       id: deploy-logcollection
@@ -330,6 +334,7 @@ runs:
         sonobuoyTestSuiteCmd: "--mode quick"
         kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
         artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
+        encryption-secret: ${{ inputs.encryption-secret }}
 
     - name: Run sonobuoy full test
       if: inputs.test == 'sonobuoy full'
@@ -339,6 +344,7 @@ runs:
         sonobuoyTestSuiteCmd: '--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml'
         kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
         artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
+        encryption-secret: ${{ inputs.encryption-secret }}
 
     - name: Run autoscaling test
       if: inputs.test == 'autoscaling'
@@ -361,6 +367,7 @@ runs:
         awsOpenSearchDomain: ${{ inputs.awsOpenSearchDomain }}
         awsOpenSearchUsers: ${{ inputs.awsOpenSearchUsers }}
         awsOpenSearchPwd: ${{ inputs.awsOpenSearchPwd }}
+        encryption-secret: ${{ inputs.encryption-secret }}
 
     - name: Run constellation verify test
       if: inputs.test == 'verify'

diff --git a/.github/actions/upload_terraform_module/action.yml b/.github/actions/upload_terraform_module/action.yml
@@ -1,5 +1,10 @@
 name: Upload Terraform infrastructure module
 description: "Upload the Terraform infrastructure module as an artifact."
+inputs:
+  encryption-secret:
+      description: 'The secret to use for encrypting the artifact.'
+      required: true
+
 
 runs:
   using: "composite"
@@ -15,10 +20,11 @@ runs:
         zip -r terraform-module.zip terraform-module
 
     - name: Upload artifact
-      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
+      uses: ./.github/actions/artifact_upload
       with:
         name: terraform-module
         path: terraform-module.zip
+        encryption-secret: ${{ inputs.encryption-secret }}
 
     - name: Cleanup Terraform module dir
       shell: bash