ci: embed prod policy settings on release

This commit blesses the Microsoft fork of the Kata Containers policy and settings. Why not ours? * Any divergence from upstream configs risks security relevant divergence and would need continuous justification. * We can contribute missing policy features upstream, if needed. Why not kata-containers/kata-containers? * We assume that the Microsoft fork is customized to the AKS environment that we're targeting, and we want to stay compatible with that. * The genpolicy tool and its config are not compatible across minor versions (e.g., a policy generated from Kata head today is not accepted by the Kata Agent available in the AKS preview today).
edgelesssys · Feb 22, 2024 · 0d1f152 · 0d1f152
1 parent 037d102
commit 0d1f152
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/packages/by-name/cli-release/package.nix b/packages/by-name/cli-release/package.nix
@@ -1,6 +1,16 @@
-{ nunki }:
+{ lib
+, nunki
+, genpolicy-msft
+, genpolicy ? genpolicy-msft
+}:
 
 (nunki.overrideAttrs (_finalAttrs: previousAttrs: {
+  prePatch = ''
+    install -D ${lib.getExe genpolicy} cli/assets/genpolicy
+    install -D ${genpolicy.settings}/genpolicy-settings.json cli/assets/genpolicy-settings.json
+    install -D ${genpolicy.rules}/genpolicy-rules.rego cli/assets/genpolicy-rules.rego
+  '';
+
   ldflags = previousAttrs.ldflags ++ [
     "-X main.DefaultCoordinatorPolicyHash=${builtins.readFile ../../../cli/assets/coordinator-policy-hash}"
   ];