From d619877417f79a80228824335d03ba28213595e3 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Wed, 18 Oct 2023 17:54:38 +0200 Subject: [PATCH] add image fetching for CSP Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --- .../actions/constellation_create/action.yml | 1 - .../actions/self_managed_create/action.yml | 14 +++-- hack/image-fetch/BUILD.bazel | 22 ++++++++ hack/image-fetch/main.go | 54 +++++++++++++++++++ 4 files changed, 85 insertions(+), 6 deletions(-) create mode 100644 hack/image-fetch/BUILD.bazel create mode 100644 hack/image-fetch/main.go diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml index 976292ddf2..cbc04ee2a0 100644 --- a/.github/actions/constellation_create/action.yml +++ b/.github/actions/constellation_create/action.yml @@ -145,7 +145,6 @@ runs: uses: ./.github/actions/self_managed_create with: cloudProvider: ${{ inputs.cloudProvider }} - osImage: ${{ steps.setImage.outputs.image }} - name: Cdbg deploy if: inputs.isDebugImage == 'true' diff --git a/.github/actions/self_managed_create/action.yml b/.github/actions/self_managed_create/action.yml index 164a1b890f..399e5867be 100644 --- a/.github/actions/self_managed_create/action.yml +++ b/.github/actions/self_managed_create/action.yml @@ -5,9 +5,6 @@ inputs: cloudProvider: description: "The cloud provider the test runs on." required: true - osImage: - description: "OS image to use." - required: true runs: using: "composite" @@ -19,6 +16,13 @@ runs: cp -r ${{ github.workspace }}/cli/internal/terraform/terraform/${{ inputs.cloudProvider }} ${{ github.workspace }}/e2e-infra cp ${{ github.workspace }}/constellation-conf.yaml ${{ github.workspace }}/e2e-infra + - name: Get CSP image reference + id: get_image + shell: bash + working-directory: ${{ github.workspace }}/e2e-infra + run : | + echo "image_ref=$(bazel run //hack/image-fetch:image-fetch)" >> $GITHUB_OUTPUT + - name: Write Terraform variables shell: bash working-directory: ${{ github.workspace }}/e2e-infra @@ -26,7 +30,7 @@ runs: echo "name = \"$(yq '.name' constellation-conf.yaml)\"" >> terraform.tfvars echo "debug = $(yq '.debugCluster' constellation-conf.yaml)" >> terraform.tfvars echo "custom_endpoint = \"$(yq '.customEndpoint' constellation-conf.yaml)\"" >> terraform.tfvars - echo "image_id = \"${{ inputs.osImage }}\"" >> terraform.tfvars + echo "image_id = \"${{ steps.get_image.outputs.image_ref }}\"" >> terraform.tfvars echo "node_groups = { control_plane_default = { role = \"$(yq '.nodeGroups.control_plane_default.role' constellation-conf.yaml)\" @@ -52,7 +56,7 @@ runs: echo "iam_instance_profile_worker_nodes = \"$(yq '.provider.aws.iamProfileWorkerNodes' constellation-conf.yaml)\"" >> terraform.tfvars echo "region = \"$(yq '.provider.aws.region' constellation-conf.yaml)\"" >> terraform.tfvars echo "zone = \"$(yq '.provider.aws.zone' constellation-conf.yaml)\"" >> terraform.tfvars - echo "ami = \"$(yq '.provider.aws.zone' constellation-conf.yaml)\"" >> terraform.tfvars + echo "ami = \"${{ steps.get_image.outputs.image_ref }}\"" >> terraform.tfvars echo "enable_snp = $(yq '.attestation | has("awsSEVSNP")' constellation-conf.yaml)" >> terraform.tfvars elif [[ "${{ inputs.cloudProvider }}" == 'azure' ]]; then echo "location = \"$(yq '.provider.azure.location' constellation-conf.yaml)\"" >> terraform.tfvars diff --git a/hack/image-fetch/BUILD.bazel b/hack/image-fetch/BUILD.bazel new file mode 100644 index 0000000000..04cd13dcdd --- /dev/null +++ b/hack/image-fetch/BUILD.bazel @@ -0,0 +1,22 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library") + +go_library( + name = "image-fetch_lib", + srcs = ["main.go"], + importpath = "github.com/edgelesssys/constellation/v2/hack/image-fetch", + visibility = ["//visibility:private"], + deps = [ + "//internal/api/attestationconfigapi", + "//internal/config", + "//internal/constants", + "//internal/file", + "//internal/imagefetcher", + "@com_github_spf13_afero//:afero", + ], +) + +go_binary( + name = "image-fetch", + embed = [":image-fetch_lib"], + visibility = ["//visibility:public"], +) diff --git a/hack/image-fetch/main.go b/hack/image-fetch/main.go new file mode 100644 index 0000000000..5ebfc7a706 --- /dev/null +++ b/hack/image-fetch/main.go @@ -0,0 +1,54 @@ +/* +Copyright (c) Edgeless Systems GmbH + +SPDX-License-Identifier: AGPL-3.0-only +*/ + +/* +imagefetch retrieves a CSP image reference from a Constellation config in the CWD. +This is especially useful when using self-managed infrastructure, where the image +reference needs to be chosen by the user, which would usually happen manually. +*/ +package main + +import ( + "context" + "errors" + "fmt" + "os" + "path/filepath" + + "github.com/edgelesssys/constellation/v2/internal/api/attestationconfigapi" + "github.com/edgelesssys/constellation/v2/internal/config" + "github.com/edgelesssys/constellation/v2/internal/constants" + "github.com/edgelesssys/constellation/v2/internal/file" + "github.com/edgelesssys/constellation/v2/internal/imagefetcher" + "github.com/spf13/afero" +) + +func main() { + cwd := os.Getenv("BUILD_WORKING_DIRECTORY") // set by Bazel, for bazel run compatibility + ctx := context.Background() + + fh := file.NewHandler(afero.NewOsFs()) + attFetcher := attestationconfigapi.NewFetcher() + conf, err := config.New(fh, filepath.Join(cwd, constants.ConfigFilename), attFetcher, true) + var configValidationErr *config.ValidationError + if errors.As(err, &configValidationErr) { + fmt.Println(configValidationErr.LongMessage()) + } + if err != nil { + panic(err) + } + + imgFetcher := imagefetcher.New() + provider := conf.GetProvider() + attestationVariant := conf.GetAttestationConfig().GetVariant() + region := conf.GetRegion() + image, err := imgFetcher.FetchReference(ctx, provider, attestationVariant, conf.Image, region) + if err != nil { + panic(err) + } + + fmt.Println(image) +}