-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prepare for using azure cleanroom in tests #214
Open
DomAyre
wants to merge
23
commits into
main
Choose a base branch
from
az-cleanroom
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+565
−485
Open
Changes from all commits
Commits
Show all changes
23 commits
Select commit
Hold shift + click to select a range
d08ee56
Prepare for using azure cleanroom in tests
DomAyre a840e15
Fix quote issue
DomAyre 9cef787
Fix env in CI
DomAyre bb93265
Print env vars when setting up
DomAyre 41dacc2
Ensure npm install has run
DomAyre 2f7f776
Fix typo
DomAyre 6254bde
Export env more safely
DomAyre fa03812
Manually test heartbeat
DomAyre a3ac245
Clean up after manual heartbeat
DomAyre 0829e45
TMP: Print the output of the up script
DomAyre 63a0bae
Print more debug info
DomAyre 5fa4a5c
.
DomAyre 233083c
.
DomAyre f5c561e
.
DomAyre a5a6997
Print failing output
DomAyre fdd2480
Stop build logs getting into the env vars
DomAyre 42b8f9a
Use new code in makefile targets
DomAyre 364c7a6
Run e2e tests
DomAyre 35bda45
Respect member count
DomAyre b38406e
Ensure that CCF sandbox isn't recreated
DomAyre b93f6f9
Update makefile targets
DomAyre bb5fd7b
Move jwt-issuer-trust script to kms subdir
DomAyre 40151e9
.
DomAyre File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
#!/bin/bash | ||
|
||
# Copyright (c) Microsoft Corporation. | ||
# Licensed under the MIT license. | ||
|
||
ccf-propose() { | ||
set -e | ||
|
||
echo "Proposing: $1" | ||
echo " to $KMS_URL" | ||
echo " cert: $KMS_SERVICE_CERT_PATH" | ||
echo " as $KMS_MEMBER_CERT_PATH" | ||
ccf_cose_sign1 \ | ||
--content $1 \ | ||
--signing-cert ${KMS_MEMBER_CERT_PATH} \ | ||
--signing-key ${KMS_MEMBER_PRIVK_PATH} \ | ||
--ccf-gov-msg-type proposal \ | ||
--ccf-gov-msg-created_at $(date -Is) \ | ||
| curl $KMS_URL/gov/proposals -k -H "Content-Type: application/cose" \ | ||
--data-binary @- \ | ||
-s \ | ||
--cacert $KMS_SERVICE_CERT_PATH -w '\n' \ | ||
| jq | ||
|
||
set +e | ||
} | ||
|
||
if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then | ||
ccf-propose "$@" | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
#!/bin/bash | ||
|
||
# Copyright (c) Microsoft Corporation. | ||
# Licensed under the MIT license. | ||
|
||
ccf-sandbox-local-down() { | ||
set -e | ||
|
||
REPO_ROOT="$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/../../..")" | ||
docker compose -f $REPO_ROOT/services/docker-compose.yml down ccf-sandbox --remove-orphans | ||
|
||
unset KMS_URL | ||
unset KMS_SERVICE_CERT_PATH | ||
unset KMS_MEMBER_CERT_PATH | ||
unset KMS_MEMBER_PRIVK_PATH | ||
|
||
set +e | ||
} | ||
|
||
ccf-sandbox-local-down |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
#!/bin/bash | ||
|
||
# Copyright (c) Microsoft Corporation. | ||
# Licensed under the MIT license. | ||
|
||
ccf-sandbox-local-up() { | ||
set -e | ||
|
||
REPO_ROOT="$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/../../..")" | ||
|
||
export WORKSPACE="$(realpath ${WORKSPACE:-$REPO_ROOT/workspace})" | ||
mkdir -p $WORKSPACE | ||
docker compose -f $REPO_ROOT/services/docker-compose.yml build ccf-sandbox > /dev/null 2>&1 | ||
docker compose -f $REPO_ROOT/services/docker-compose.yml up ccf-sandbox --wait | ||
sudo chown $USER:$USER -R $WORKSPACE | ||
|
||
export KMS_URL="https://127.0.0.1:8000" | ||
export KMS_SERVICE_CERT_PATH="$WORKSPACE/sandbox_common/service_cert.pem" | ||
export KMS_MEMBER_CERT_PATH="$WORKSPACE/sandbox_common/member0_cert.pem" | ||
export KMS_MEMBER_PRIVK_PATH="$WORKSPACE/sandbox_common/member0_privk.pem" | ||
|
||
set +e | ||
} | ||
|
||
ccf-sandbox-local-up | ||
|
||
jq -n '{ | ||
WORKSPACE: env.WORKSPACE, | ||
KMS_URL: env.KMS_URL, | ||
KMS_SERVICE_CERT_PATH: env.KMS_SERVICE_CERT_PATH, | ||
KMS_MEMBER_CERT_PATH: env.KMS_MEMBER_CERT_PATH, | ||
KMS_MEMBER_PRIVK_PATH: env.KMS_MEMBER_PRIVK_PATH | ||
}' |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
#!/bin/bash | ||
|
||
# Copyright (c) Microsoft Corporation. | ||
# Licensed under the MIT license. | ||
|
||
set -e | ||
|
||
docker compose -f services/docker-compose.yml down jwt-issuer --remove-orphans |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
#!/bin/bash | ||
|
||
# Copyright (c) Microsoft Corporation. | ||
# Licensed under the MIT license. | ||
|
||
set -e | ||
|
||
REPO_ROOT="$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/../..")" | ||
export WORKSPACE=$(realpath ${WORKSPACE:-$REPO_ROOT/workspace}) | ||
|
||
docker compose -f services/docker-compose.yml up jwt-issuer --wait | ||
|
||
sudo chown $USER:$USER -R $WORKSPACE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
#!/bin/bash | ||
|
||
# Copyright (c) Microsoft Corporation. | ||
# Licensed under the MIT license. | ||
|
||
constitution-set() { | ||
set -e | ||
|
||
REPO_ROOT="$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/../..")" | ||
CONSTITUTION_PATH=$1 | ||
|
||
# Get the current constitution | ||
curl -k $KMS_URL/gov/service/constitution?api-version=2024-07-01 > $WORKSPACE/proposals/constitution.js | ||
|
||
# Append the consitution given | ||
cat "$CONSTITUTION_PATH" >> $WORKSPACE/proposals/constitution.js | ||
|
||
# Construct the proposal | ||
jq --arg constitution "$(tr -s ' ' < "$WORKSPACE/proposals/constitution.js")" \ | ||
'.actions[0].args.constitution = $constitution' \ | ||
$REPO_ROOT/governance/proposals/set_constitution.json > $WORKSPACE/proposals/set_constitution.json | ||
|
||
# Submit the proposal | ||
source $REPO_ROOT/scripts/ccf/propose.sh | ||
ccf-propose $WORKSPACE/proposals/set_constitution.json | ||
|
||
set +e | ||
} | ||
|
||
constitution-set "$@" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
#!/bin/bash | ||
|
||
# Copyright (c) Microsoft Corporation. | ||
# Licensed under the MIT license. | ||
|
||
heartbeat() { | ||
curl $KMS_URL/app/heartbeat \ | ||
--cacert $KMS_SERVICE_CERT_PATH \ | ||
-w '\n%{http_code}\n' | ||
} | ||
|
||
heartbeat |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These scripts force the usage of containers. So running KMS locally will no longer be possible. By the way, this is how I do my dev work. What are the limitations going forward?
In development you start frequently KMS. Containers have this persistent state behavior of you don't completely remove them. Meaning rebuilding of the container for every dev step.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using CCF only from the container is indeed a choice we need to make carefully, my reasoning for supporting this choice are:
I believe the considerations you raise aren't bad enough to outweigh the benefits for the following reasons:
docker compose down
cleans up for you, I've never had trouble with itThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How much work would it be to support Ronny's way of working as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's possible, we would need:
/scripts/ccf/sandbox-local-non-container/
directory with up and down scriptsThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Personally I see that as a pain, and I don't see any benefits vs just starting the off the shelf CCF container and treating it like every other use case of CCF