From d541af66d5c5d249a535c20aa75131d7be7db54a Mon Sep 17 00:00:00 2001
From: Markus Rudy <webmaster@burgerdev.de>
Date: Wed, 14 Feb 2024 11:20:32 +0100
Subject: [PATCH 1/2] nix: explicitly set PATH for OCI images

This deals with a missing feature of genpolicy: the Kata runtime adds a
default PATH environment variable if there is none in the image
configuration, but the genpolicy tool does not add a corresponding
allowlist entry. We work around that by just setting a PATH, although we
don't need it.

This fix allows to use the upstream genpolicy-settings.json, which we're
switching to simultaneously.

Co-authored-by: 3u13r <lc@edgeless.systems>
---
 packages/default.nix        | 8 +++++---
 packages/genpolicy_msft.nix | 1 +
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/packages/default.nix b/packages/default.nix
index a31f0e9145..1528364121 100644
--- a/packages/default.nix
+++ b/packages/default.nix
@@ -89,6 +89,7 @@ rec {
     copyToRoot = with dockerTools; [ caCertificates ];
     config = {
       Cmd = [ "${nunki.coordinator}/bin/coordinator" ];
+      Env = [ "PATH=/bin" ]; # This is only here for policy generation.
     };
   };
   initializer = dockerTools.buildImage {
@@ -97,6 +98,7 @@ rec {
     copyToRoot = with dockerTools; [ caCertificates ];
     config = {
       Cmd = [ "${nunki.initializer}/bin/initializer" ];
+      Env = [ "PATH=/bin" ]; # This is only here for policy generation.
     };
   };
 
@@ -106,6 +108,7 @@ rec {
     copyToRoot = [ openssl bash coreutils ncurses bashInteractive vim procps ];
     config = {
       Cmd = [ "bash" ];
+      Env = [ "PATH=/bin" ]; # This is only here for policy generation.
     };
   };
   port-forwarder = dockerTools.buildImage {
@@ -273,7 +276,7 @@ rec {
   # write-coordinator-yaml prints a Nunki Coordinator deployment including the default policy.
   # It's intended for two purposes: (1) releasing a portable coordinator.yaml and (2) updating the embedded policy hash.
   write-coordinator-yaml = writeShellApplication {
-    name = "print-coordinator-policy";
+    name = "write-coordinator-yaml";
     runtimeInputs = [
       yq-go
       genpolicy
@@ -289,8 +292,7 @@ rec {
         "del(.metadata.namespace) | (select(.kind == \"Deployment\") | .spec.template.spec.containers[0].image) = \"$imageRef\""
 
       pushd "$tmpdir" >/dev/null
-      # TODO(burgerdev): this should not be dev, but there are unknown env vars
-      cp ${genpolicy.settings-dev}/genpolicy-settings.json .
+      cp ${genpolicy.settings}/genpolicy-settings.json .
       cp ${genpolicy.rules-coordinator}/genpolicy-rules.rego rules.rego
       genpolicy < "$tmpdir/coordinator.yml"
       popd >/dev/null
diff --git a/packages/genpolicy_msft.nix b/packages/genpolicy_msft.nix
index f0d239e878..3e72187e8a 100644
--- a/packages/genpolicy_msft.nix
+++ b/packages/genpolicy_msft.nix
@@ -49,6 +49,7 @@ rustPlatform.buildRustPackage rec {
       postFetch = "install -D $downloadedFile $out/genpolicy-settings.json";
     };
 
+    # Settings that allow exec into CVM pods - not safe for production use!
     settings-dev = applyPatches {
       src = settings;
       patches = [ ./genpolicy_msft_settings_dev.patch ];

From a79432267c9188b2fd3dffb101d4aacf6936570c Mon Sep 17 00:00:00 2001
From: Markus Rudy <webmaster@burgerdev.de>
Date: Wed, 14 Feb 2024 11:44:53 +0100
Subject: [PATCH 2/2] ci: publish release-quality artifacts

This commit makes Nunki releases self-contained, in the sense that users
only need the published artifacts in order to get a working coordinator,
by making the following changes to the release process.

* Update the embeddable coordinator policy hash on the release branch.
* Publish the release variant of the CLI, including the embedded policy
  hash.
* Include a coordinator deployment definition in the release that is
  compatible to the embedded coordinator hash.

This does not address the users' need for initializers and service mesh
sidecars yet.
---
 .github/workflows/release.yml | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 23d1279306..298d53dc37 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -170,9 +170,23 @@ jobs:
         run: |
           nix run .#push-coordinator -- "$container_registry/nunki/coordinator"
           nix run .#push-initializer -- "$container_registry/nunki/initializer"
+      - name: Create portable coordinator resource definitions
+        run: |
+          mkdir -p workspace
+          nix run .#write-coordinator-yaml -- "${container_registry}/nunki/coordinator" > workspace/coordinator.yaml
+      - name: Update coordinator policy hash
+        run: |
+          yq < workspace/coordinator.yaml \
+            'select(.kind == "Deployment") | .spec.template.metadata.annotations["io.katacontainers.config.agent.policy"]' |
+            base64 -d | sha256sum | cut -d " " -f1 > cli/assets/coordinator-policy-hash
+
+          git config --global user.name "edgelessci"
+          git config --global user.email "edgelessci@users.noreply.github.com"
+          git add cli/assets/coordinator-policy-hash
+          git diff --staged --quiet || git commit -m "release: update coordinator policy hash"
       - name: Build CLI
         run: |
-          nix build .#cli
+          nix build .#cli-release
       - name: Create draft release
         uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         with:
@@ -182,6 +196,7 @@ jobs:
           target_commitish: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
           files: |
             result-cli/bin/nunki
+            workspace/coordinator.yaml
       - name: Reset temporary changes
         run: |
           git reset --hard ${{ needs.process-inputs.outputs.WORKING_BRANCH }}