feat: add Google Metadata support and TDX container test

- Introduced `google-metadata` binary for reading GCP instance attributes. - Added TDX container test with new `container-test-tdx` package. - Updated Nix workflow and deployment scripts for Google Metadata integration. - Bumped `anyhow` to 1.0.95 and updated Cargo.lock.
matter-labs · Jan 27, 2025 · e16dc46 · e16dc46
1 parent e2c3191
commit e16dc46
Show file tree

Hide file tree

Showing 15 changed files with 284 additions and 52 deletions.
diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
@@ -73,6 +73,7 @@ jobs:
           - { nixpackage: 'container-self-attestation-test-sgx-azure' }
           - { nixpackage: 'container-verify-attestation-sgx' }
           - { nixpackage: 'container-verify-era-proof-attestation-sgx' }
+          - { nixpackage: 'container-test-tdx' }
     steps:
       - uses: actions/checkout@v4
       - uses: cachix/install-nix-action@v30

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/assets/config.json b/assets/config.json
@@ -0,0 +1,4 @@
+{
+  "foo": "bar",
+  "bar": "baz"
+}
diff --git a/assets/gcloud-deploy.sh b/assets/gcloud-deploy.sh
@@ -7,8 +7,12 @@
 
 set -ex
 
+BASE_DIR=${0%/*}
+
 NO=${NO:-1}
 
+ZONE=${ZONE:-us-central1-c}
+
 nix build -L .#tdx_google
 
 gsutil cp result/tdx_base_1.vmdk gs://tdx_vms/
@@ -21,8 +25,8 @@ gcloud migration vms image-imports create \
          --source-file=gs://tdx_vms/tdx_base_1.vmdk \
          tdx-img-pre-"${NO}"
 
-gcloud compute instances stop tdx-pilot --zone us-central1-c --project tdx-pilot || :
-gcloud compute instances delete tdx-pilot --zone us-central1-c --project tdx-pilot || :
+gcloud compute instances stop tdx-pilot --zone ${ZONE} --project tdx-pilot || :
+gcloud compute instances delete tdx-pilot --zone ${ZONE} --project tdx-pilot || :
 
 while gcloud migration vms image-imports list --location=us-central1 --project=tdx-pilot | grep -F RUNNING; do
     sleep 1
@@ -36,10 +40,11 @@ gcloud compute images create \
          tdx-img-f-"${NO}"
 
 gcloud compute instances create tdx-pilot \
-         --machine-type c3-standard-4 --zone us-central1-c \
+         --machine-type c3-standard-4 --zone ${ZONE} \
          --confidential-compute-type=TDX \
          --maintenance-policy=TERMINATE \
          --image-project=tdx-pilot \
          --project tdx-pilot \
-         --metadata=container_hub="docker.io",container_image="amd64/hello-world@sha256:e2fc4e5012d16e7fe466f5291c476431beaa1f9b90a5c2125b493ed28e2aba57" \
+         --metadata=container_hub="docker.io",container_image="matterlabsrobot/test-tdx:117p5y281limw0w7b03v802ij00c5gzw" \
+         --metadata-from-file=container_config=$BASE_DIR/config.json \
          --image tdx-img-f-"${NO}"
diff --git a/bin/google-metadata/Cargo.toml b/bin/google-metadata/Cargo.toml
@@ -0,0 +1,16 @@
+[package]
+name = "google-metadata"
+version.workspace = true
+edition.workspace = true
+authors.workspace = true
+license.workspace = true
+repository.workspace = true
+homepage.workspace = true
+
+[dependencies]
+anyhow.workspace = true
+reqwest.workspace = true
+serde_json.workspace = true
+tokio.workspace = true
+reqwest-middleware = "0.4.0"
+reqwest-retry = "0.7.0"
diff --git a/bin/google-metadata/src/main.rs b/bin/google-metadata/src/main.rs
@@ -0,0 +1,74 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) 2025 Matter Labs
+
+use anyhow::{bail, Result};
+use reqwest::Client;
+use reqwest_middleware::{ClientBuilder, ClientWithMiddleware};
+use reqwest_retry::{policies::ExponentialBackoff, Jitter, RetryTransientMiddleware};
+use serde_json::Value;
+use std::time::Duration;
+
+const DEFAULT_INSTANCE_METADATA_BASE_URL: &str =
+    "http://metadata.google.internal/computeMetadata/v1/instance/attributes";
+
+async fn fetch_gcp_metadata(
+    http_client: &ClientWithMiddleware,
+    metadata_key: &str,
+) -> Result<Value> {
+    // Validate the metadata key:
+    if metadata_key.is_empty() {
+        bail!("Empty metadata_key");
+    }
+
+    let url = format!("{DEFAULT_INSTANCE_METADATA_BASE_URL}/{metadata_key}");
+
+    // Make an HTTP GET request:
+    let response = http_client
+        .get(url)
+        .header("Metadata-Flavor", "Google")
+        .send()
+        .await?;
+
+    // Handle response:
+    if response.status().is_success() {
+        let metadata_text = response.text().await?;
+        serde_json::from_str(&metadata_text)
+            .map_err(|e| anyhow::format_err!("Failed to parse metadata JSON: {}", e))
+    } else {
+        let status = response.status();
+        let error_body = response
+            .text()
+            .await
+            .unwrap_or_else(|_| "<empty>".to_string());
+        bail!(
+            "Failed to fetch metadata: {}, Response body: {}",
+            status,
+            error_body
+        );
+    }
+}
+
+#[tokio::main]
+async fn main() -> Result<()> {
+    // Build the client with retry middleware and exponential backoff:
+    let retry_policy = ExponentialBackoff::builder()
+        .retry_bounds(Duration::from_secs(1), Duration::from_secs(32))
+        .jitter(Jitter::Bounded)
+        .base(2)
+        .build_with_total_retry_duration(Duration::from_secs(60));
+    let client = ClientBuilder::new(Client::builder().build()?) // Underlying reqwest client
+        .with(RetryTransientMiddleware::new_with_policy(retry_policy)) // Add retry middleware
+        .build();
+
+    // Fetch and display metadata:
+    match fetch_gcp_metadata(&client, "container_config").await {
+        Ok(container_config) => {
+            println!("Container config:\n{:#?}", container_config);
+        }
+        Err(e) => {
+            eprintln!("Error fetching container config: {}", e);
+        }
+    }
+
+    Ok(())
+}
diff --git a/checks/cargoClippy/default.nix b/checks/cargoClippy/default.nix
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) 2024 Matter Labs
+{ teepot }: teepot.teepot.passthru.craneLib.cargoClippy (
+  teepot.teepot.passthru.commonArgs // {
+    pname = "teepot";
+    inherit (teepot.teepot.passthru) cargoArtifacts;
+  }
+)
diff --git a/packages/cargoFmt/default.nix → checks/cargoDeny/default.nix b/packages/cargoFmt/default.nix → checks/cargoDeny/default.nix
@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) 2024 Matter Labs
-{ teepotCrate }: teepotCrate.craneLib.cargoFmt (
-  teepotCrate.commonArgs // {
+{ teepot }: teepot.teepot.passthru.craneLib.cargoDeny (
+  teepot.teepot.passthru.commonArgs // {
     pname = "teepot";
   }
 )
diff --git a/packages/cargoDeny/default.nix → checks/cargoFmt/default.nix b/packages/cargoDeny/default.nix → checks/cargoFmt/default.nix
@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) 2024 Matter Labs
-{ teepotCrate }: teepotCrate.craneLib.cargoDeny (
-  teepotCrate.commonArgs // {
+{ teepot }: teepot.teepot.passthru.craneLib.cargoFmt (
+  teepot.teepot.passthru.commonArgs // {
     pname = "teepot";
   }
 )