Skip to content

Commit

Permalink
generate: add flag for aks reference values
Browse files Browse the repository at this point in the history
The manifest will be generated with invalid null values when the flag is
not specified which must be filled out by the user.
  • Loading branch information
davidweisse committed Jun 25, 2024
1 parent 44d93fe commit 2b7c9e4
Show file tree
Hide file tree
Showing 5 changed files with 35 additions and 10 deletions.
13 changes: 13 additions & 0 deletions cli/cmd/generate.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ subcommands.`,
cmd.Flags().StringP("policy", "p", rulesFilename, "path to policy (.rego) file")
cmd.Flags().StringP("settings", "s", settingsFilename, "path to settings (.json) file")
cmd.Flags().StringP("manifest", "m", manifestFilename, "path to manifest (.json) file")
cmd.Flags().String("reference-values", "", "set the default reference values used for attestation (one of: aks)")
cmd.Flags().StringArrayP("workload-owner-key", "w", []string{workloadOwnerPEM}, "path to workload owner key (.pem) file")
cmd.Flags().BoolP("disable-updates", "d", false, "prevent further updates of the manifest")
cmd.Flags().String("image-replacements", "", "path to image replacements file")
Expand Down Expand Up @@ -115,6 +116,9 @@ func runGenerate(cmd *cobra.Command, args []string) error {
}

defaultManifest := manifest.Default()
if flags.referenceValues == "aks" {
defaultManifest = manifest.DefaultAKS()
}
defaultManifestData, err := json.MarshalIndent(&defaultManifest, "", " ")
if err != nil {
return fmt.Errorf("marshaling default manifest: %w", err)
Expand Down Expand Up @@ -445,6 +449,7 @@ type generateFlags struct {
policyPath string
settingsPath string
manifestPath string
referenceValues string
workloadOwnerKeys []string
disableUpdates bool
workspaceDir string
Expand All @@ -465,6 +470,13 @@ func parseGenerateFlags(cmd *cobra.Command) (*generateFlags, error) {
if err != nil {
return nil, err
}
referenceValues, err := cmd.Flags().GetString("reference-values")
if err != nil {
return nil, err
}
if !slices.Contains([]string{"", "aks"}, referenceValues) {
return nil, fmt.Errorf("unknown reference values")
}
workloadOwnerKeys, err := cmd.Flags().GetStringArray("workload-owner-key")
if err != nil {
return nil, err
Expand Down Expand Up @@ -507,6 +519,7 @@ func parseGenerateFlags(cmd *cobra.Command) (*generateFlags, error) {
policyPath: policyPath,
settingsPath: settingsPath,
manifestPath: manifestPath,
referenceValues: referenceValues,
workloadOwnerKeys: workloadOwnerKeys,
disableUpdates: disableUpdates,
workspaceDir: workspaceDir,
Expand Down
2 changes: 1 addition & 1 deletion coordinator/internal/authority/authority_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ func newManifest(t *testing.T) (*manifest.Manifest, []byte, [][]byte) {
policyHash := sha256.Sum256(policy)
policyHashHex := manifest.NewHexString(policyHash[:])

mnfst := manifest.Default()
mnfst := manifest.DefaultAKS()
mnfst.Policies = map[manifest.HexString][]string{policyHashHex: {"test"}}
mnfst.WorkloadOwnerKeyDigests = []manifest.HexString{keyDigest}
mnfstBytes, err := json.Marshal(mnfst)
Expand Down
7 changes: 6 additions & 1 deletion e2e/internal/contrasttest/contrasttest.go
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,12 @@ func (ct *ContrastTest) Init(t *testing.T, resources []any) {
func (ct *ContrastTest) Generate(t *testing.T) {
require := require.New(t)

args := append(ct.commonArgs(), "--image-replacements", ct.ImageReplacementsFile, path.Join(ct.WorkDir, "resources.yaml"))
args := append(
ct.commonArgs(),
"--image-replacements", ct.ImageReplacementsFile,
"--reference-values", "aks",
path.Join(ct.WorkDir, "resources.yaml"),
)

generate := cmd.NewGenerateCmd()
generate.Flags().String("workspace-dir", "", "") // Make generate aware of root flags
Expand Down
22 changes: 14 additions & 8 deletions internal/manifest/constants.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,19 +10,25 @@ var trustedMeasurement = "000000000000000000000000000000000000000000000000000000
func Default() Manifest {
return Manifest{
ReferenceValues: ReferenceValues{
SNP: SNPReferenceValues{
MinimumTCB: SNPTCB{
BootloaderVersion: toPtr(SVN(3)),
TEEVersion: toPtr(SVN(0)),
SNPVersion: toPtr(SVN(8)),
MicrocodeVersion: toPtr(SVN(115)),
},
},
TrustedMeasurement: HexString(trustedMeasurement),
},
}
}

// DefaultAKS returns a default manifest with AKS reference values.
func DefaultAKS() Manifest {
mnfst := Default()
mnfst.ReferenceValues.SNP = SNPReferenceValues{
MinimumTCB: SNPTCB{
BootloaderVersion: toPtr(SVN(3)),
TEEVersion: toPtr(SVN(0)),
SNPVersion: toPtr(SVN(8)),
MicrocodeVersion: toPtr(SVN(115)),
},
}
return mnfst
}

func toPtr[T any](t T) *T {
return &t
}
1 change: 1 addition & 0 deletions justfile
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ generate cli=default_cli:
nix run .#{{ cli }} -- generate \
--workspace-dir ./{{ workspace_dir }} \
--image-replacements ./{{ workspace_dir }}/just.containerlookup \
--reference-values aks \
./{{ workspace_dir }}/deployment/*.yml
duration=$(( $(date +%s) - $t ))
echo "Generated policies in $duration seconds."
Expand Down

0 comments on commit 2b7c9e4

Please sign in to comment.