wip

mcollins-ttd · mcollins-ttd · commit 3eb35d1d383b · 2025-03-07T14:43:23.000+11:00
diff --git a/.github/workflows/publish-azure-cc-enclave-docker.yaml b/.github/workflows/publish-azure-cc-enclave-docker.yaml
@@ -242,3 +242,73 @@ jobs:
   #     operator_type: azure
   #     operator_image_version: ${{ needs.buildImage.outputs.image_tag }}
   #   secrets: inherit
+
+  azureVn:
+    name: Azure VN
+    runs-on: ubuntu-latest
+    permissions: {}
+    needs: buildImage
+    env:
+      ARTIFACT_PREFIX: azure-vn-
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Azure CLI
+        uses: ./.github/actions/install_az_cli
+
+      - name: check azure-cli version
+        run: |
+          az --version
+
+      - name: Generate Azure deployment artifacts
+        env:
+          IMAGE: ${{ needs.buildImage.outputs.tags }}
+          OUTPUT_DIR: ${{ env.ARTIFACTS_OUTPUT_DIR }}
+          MANIFEST_DIR: ${{ env.MANIFEST_OUTPUT_DIR }}
+          VERSION_NUMBER: ${{ needs.buildImage.outputs.jar_version }}
+        run: |
+          bash ./scripts/azure-vn/deployment/generate-deployment-artifacts.sh
+
+      - name: Upload deployment artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.ARTIFACT_PREFIX }}deployment-files-${{ needs.buildImage.outputs.jar_version }}
+          path: ${{ env.ARTIFACTS_OUTPUT_DIR }}
+          if-no-files-found: error
+
+      - name: Upload manifest
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.ARTIFACT_PREFIX }}enclave-id-${{ needs.buildImage.outputs.jar_version }}
+          path: ${{ env.MANIFEST_OUTPUT_DIR }}
+          if-no-files-found: error
+
+      - name: Generate release archive
+        if: ${{ inputs.version_number_input == '' && needs.buildImage.outputs.is_release == 'true' }}
+        run: |
+          zip -j ${{ env.ARTIFACTS_OUTPUT_DIR }}/uid2-operator-deployment-artifacts-${{ needs.buildImage.outputs.docker_version }}.zip ${{ env.ARTIFACTS_OUTPUT_DIR }}/*
+
+      - name: Build changelog
+        id: github_release
+        if: ${{ inputs.version_number_input == '' && needs.buildImage.outputs.is_release == 'true' }}
+        uses: mikepenz/release-changelog-builder-action@v4
+        with:
+          configurationJson: |
+            {
+              "template": "#{{CHANGELOG}}\n## Installation\n```\ndocker pull ${{ needs.buildImage.outputs.tags }}\n```\n\n## Image reference to deploy: \n```\n${{ needs.buildImage.outputs.image_tag }}\n```\n\n## Changelog\n#{{UNCATEGORIZED}}",
+              "pr_template": " - #{{TITLE}} - ( PR: ##{{NUMBER}} )"
+            }
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create release
+        if: ${{ inputs.version_number_input == '' && needs.buildImage.outputs.is_release == 'true' }}
+        uses: softprops/action-gh-release@v2
+        with:
+          name: ${{ needs.buildImage.outputs.jar_version }}
+          body: ${{ steps.github_release.outputs.changelog }}
+          draft: true
+          files: |
+            ${{ env.ARTIFACTS_OUTPUT_DIR }}/uid2-operator-deployment-artifacts-${{ needs.buildImage.outputs.jar_version }}.zip
+            ${{ env.MANIFEST_OUTPUT_DIR }}/${{ env.ARTIFACT_PREFIX }}operator-digest-${{ needs.buildImage.outputs.jar_version }}.txt
diff --git a/scripts/azure-vn/deployment/generate-deployment-artifacts.sh b/scripts/azure-vn/deployment/generate-deployment-artifacts.sh
@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+set -x
+
+# Following environment variables must be set
+# - IMAGE: uid2-operator image
+# - OUTPUT_DIR: output directory to store the artifacts
+# - MANIFEST_DIR: output directory to store the manifest for the enclave Id
+# - VERSION_NUMBER: the version number of the build
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+INPUT_DIR=${SCRIPT_DIR}
+
+if [[ -z ${IMAGE} ]]; then
+  echo "IMAGE cannot be empty"
+  exit 1
+fi
+IMAGE_VERSION=$(echo $IMAGE | awk -F':' '{print $2}')
+if [[ -z ${IMAGE_VERSION} ]]; then
+  echo "Failed to extract image version from ${IMAGE}"
+  exit 1
+fi
+
+if [[ -z ${OUTPUT_DIR} ]]; then
+  echo "OUTPUT_DIR cannot be empty"
+  exit 1
+fi
+
+mkdir -p ${OUTPUT_DIR}
+if [[ $? -ne 0 ]]; then
+  echo "Failed to create ${OUTPUT_DIR}"
+  exit 1
+fi
+
+mkdir -p ${MANIFEST_DIR}
+if [[ $? -ne 0 ]]; then
+  echo "Failed to create ${MANIFEST_DIR}"
+  exit 1
+fi
+
+# Input files
+INPUT_FILES=(
+    operator.json operator.parameters.json
+    vault.json vault.parameters.json
+    vnet.json vnet.parameters.json
+    gateway.json gateway.parameters.json
+)
+
+# Copy input files to output dir
+for f in ${INPUT_FILES[@]}; do
+    cp ${INPUT_DIR}/${f} ${OUTPUT_DIR}/${f}
+    if [[ $? -ne 0 ]]; then
+        echo "Failed to copy ${INPUT_DIR}/${f} to ${OUTPUT_DIR}"
+        exit 1
+    fi
+done
+
+az version
+# Install confcom extension, az is originally available in GitHub workflow environment
+az extension add --name confcom
+if [[ $? -ne 0 ]]; then
+  echo "Failed to install Azure confcom extension"
+  exit 1
+fi
+
+# Required by az confcom
+sudo usermod -aG docker ${USER}
+if [[ $? -ne 0 ]]; then
+  echo "Failed to add current user to docker group"
+  exit 1
+fi
+
+# Generate operator template
+sed -i "s#IMAGE_PLACEHOLDER#${IMAGE}#g" ${OUTPUT_DIR}/operator.json && \
+  sed -i "s#IMAGE_VERSION_PLACEHOLDER#${IMAGE_VERSION}#g" ${OUTPUT_DIR}/operator.json
+if [[ $? -ne 0 ]]; then
+  echo "Failed to pre-process operator template file"
+  exit 1
+fi
+
+# Export the policy, update it to turn off allow_environment_variable_dropping, and then insert it into the template
+# note that the EnclaveId is generated by generate.py on the raw policy, not the base64 version
+POLICY_DIGEST_FILE=azure-cc-operator-digest-$VERSION_NUMBER.txt
+az confcom acipolicygen --approve-wildcards --template-file ${OUTPUT_DIR}/operator.json --print-policy > ${INPUT_DIR}/policy.base64
+base64 -di < ${INPUT_DIR}/policy.base64 > ${INPUT_DIR}/generated.rego
+sed -i "s#allow_environment_variable_dropping := true#allow_environment_variable_dropping := false#g" ${INPUT_DIR}/generated.rego
+base64 -w0 < ${INPUT_DIR}/generated.rego > ${INPUT_DIR}/generated.rego.base64
+python3 ${SCRIPT_DIR}/generate.py ${INPUT_DIR}/generated.rego > ${MANIFEST_DIR}/${POLICY_DIGEST_FILE}
+
+cp ${OUTPUT_DIR}/operator.json ${INPUT_DIR}/source.json
+jq --arg policy "$(cat ${INPUT_DIR}/generated.rego.base64)" '.resources[].properties.confidentialComputeProperties.ccePolicy = $policy' ${INPUT_DIR}/source.json > ${OUTPUT_DIR}/operator.json
+
diff --git a/scripts/azure-vn/deployment/operator.yaml b/scripts/azure-vn/deployment/operator.yaml
@@ -0,0 +1,91 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: operator-deployment 
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: operator 
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: operator
+      annotations:
+        microsoft.containerinstance.virtualnode.ccepolicy: ''
+        microsoft.containerinstance.virtualnode.identity: /subscriptions/63e97a70-d825-4b08-af6d-c0d8ad98bed3/resourcegroups/kat-vn-aks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/kat-vn-aks-opr-id
+        microsoft.containerinstance.virtualnode.injectdns: "false"
+    spec:
+      containers:
+        - image: "mcr.microsoft.com/aci/skr:2.7"
+          imagePullPolicy: Always
+          name: skr
+          resources:
+            limits:
+              cpu: 2250m
+              memory: 2256Mi
+            requests:
+              cpu: 100m
+              memory: 512Mi
+          env:
+            - name: Port
+              value: "9000"
+          volumeMounts:
+            - mountPath: /opt/confidential-containers/share/kata-containers/reference-info-base64
+              name: endorsement-location
+          command:
+            - /skr.sh
+        - name: uid2-operator
+          image: "ghcr.io/iabtechlab/uid2-operator:5.47.71-alpha-215-SNAPSHOT-azure-cc"
+          resources:
+            limits:
+              memory: "8Gi"
+          imagePullPolicy: Always
+          securityContext:
+            runAsUser: 1000
+          env:
+            - name: VAULT_NAME
+              value: kat-vn-aks-vault
+            - name: OPERATOR_KEY_SECRET_NAME
+              value: kat-vn-aks-opr-key-name
+            - name: DEPLOYMENT_ENVIRONMENT
+              value: integ
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+            - name: prometheus
+              containerPort: 9080
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /ops/healthcheck
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+      volumes:
+        - name: endorsement-location
+          hostPath:
+            path: /opt/confidential-containers/share/kata-containers/reference-info-base64
+      nodeSelector:
+        virtualization: virtualnode2
+      tolerations:
+      - effect: NoSchedule
+        key: virtual-kubelet.io/provider
+        operator: Exists
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: operator-svc
+spec:
+  type: LoadBalancer
+  selector:
+    app.kubernetes.io/name: operator
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8080
