harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-21 15:13:56 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #117 from matter-labs/container-push

Browse source 
ci: fix and revise docker push strategy
This commit is contained in:
Harald Hoyer 2024-06-12 14:59:40 +02:00 committed by GitHub
commit 8e1759901f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
12 changed files with 100 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

53
.github/workflows/nix.yml vendored
View file

@ -51,7 +51,6 @@ jobs:
push_to_docker:
needs: build
if: ${{ github.event_name == 'push' }}
runs-on: ubuntu-latest
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.config.nixpackage }}
@ -60,11 +59,13 @@ jobs:
fail-fast: false
matrix:
config:
- { nixpackage: 'container-vault-sgx-azure', dockerfile: 'packages/container-vault-sgx-azure/Dockerfile', repository: 'teepot-vault' }
- { nixpackage: 'container-vault-unseal-sgx-azure', dockerfile: 'packages/container-vault-unseal-sgx-azure/Dockerfile', repository: 'teepot-tvu' }
- { nixpackage: 'container-vault-admin-sgx-azure', dockerfile: 'packages/container-vault-admin-sgx-azure/Dockerfile', repository: 'teepot-tva' }
- { nixpackage: 'container-self-attestation-test-sgx-dcap', dockerfile: 'packages/container-self-attestation-test-sgx-dcap/Dockerfile', repository: 'teepot-self-attestation-test-sgx-dcap' }
- { nixpackage: 'container-self-attestation-test-sgx-azure', dockerfile: 'packages/container-self-attestation-test-sgx-azure/Dockerfile', repository: 'teepot-self-attestation-test-sgx-azure' }
- { nixpackage: 'container-vault-sgx-azure' }
- { nixpackage: 'container-vault-unseal-sgx-azure' }
- { nixpackage: 'container-vault-admin-sgx-azure' }
- { nixpackage: 'container-vault-unseal' }
- { nixpackage: 'container-vault-admin' }
- { nixpackage: 'container-self-attestation-test-sgx-dcap' }
- { nixpackage: 'container-self-attestation-test-sgx-azure' }
- { nixpackage: 'container-verify-attestation-sgx' }
steps:
- uses: actions/checkout@v4
@ -86,30 +87,36 @@ jobs:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Load and Push nix container
- name: Load container
id: build
run: |
nix build -L .#${{ matrix.config.nixpackage }}
nix build --accept-flake-config -L .#${{ matrix.config.nixpackage }}
export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*')
echo "Pushing image ${IMAGE_TAG} to Docker Hub"
docker tag "${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG}"
docker push matterlabsrobot/"${IMAGE_TAG}"
docker tag matterlabsrobot/"${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG%:*}:latest"
docker push matterlabsrobot/"${IMAGE_TAG%:*}:latest"
echo "IMAGE_TAG=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
echo "IMAGE_NAME=${IMAGE_TAG%:*}" >> "$GITHUB_OUTPUT"
- name: Push container
run: |
echo "Pushing image ${{ steps.build.outputs.IMAGE_TAG }} to Docker Hub"
docker tag "${{ steps.build.outputs.IMAGE_TAG }}" matterlabsrobot/"${{ steps.build.outputs.IMAGE_TAG }}"
docker push matterlabsrobot/"${{ steps.build.outputs.IMAGE_TAG }}"
- name: Tag container as latest
if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
run: |
docker tag "${{ steps.build.outputs.IMAGE_TAG }}" matterlabsrobot/"${{ steps.build.outputs.IMAGE_NAME }}:latest"
docker push matterlabsrobot/"${{ steps.build.outputs.IMAGE_NAME }}:latest"
- name: Generate build ID for Flux Image Automation
if: ${{ matrix.config.dockerfile }}
if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
id: buildid
run: |
sha=$(git rev-parse --short HEAD)
ts=$(date +%s%N | cut -b1-13)
echo "BUILD_ID=${sha}-${ts}" >> "$GITHUB_OUTPUT"
- name: Build and Push Container
if: ${{ matrix.config.dockerfile }}
uses: docker/build-push-action@v5
with:
file: ${{ matrix.config.dockerfile }}
tags: |
"matterlabsrobot/${{ matrix.config.repository }}:latest"
"matterlabsrobot/${{ matrix.config.repository }}:${{ steps.buildid.outputs.BUILD_ID }}"
push: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
- name: Push Docker image to matterlabs-infra
if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
run: |
docker tag "${{ steps.build.outputs.IMAGE_TAG }}" matterlabsrobot/"${{ steps.build.outputs.IMAGE_NAME }}::${{ steps.buildid.outputs.BUILD_ID }}"
docker push matterlabsrobot/"${{ steps.build.outputs.IMAGE_NAME }}::${{ steps.buildid.outputs.BUILD_ID }}"

46
examples/README.md
View file

@ -47,12 +47,13 @@ Vault is unsealed!
```
With `teepot-admin` being the name of the image running the tee-vault-admin service, the following commands can be used
With `teepot-vault-admin-sgx-azure` being the name of the image running the teepot-vault-admin-sgx-azure service, the
following commands can be used
to sign the admin tee:
```bash
(id=$(docker create teepot-admin); docker cp $id:/app/tee-vault-admin.sig ~/tee-vault-admin.sig; docker rm -v $id)
cargo run -p vault-admin -- create-sign-request --tee-name admin ~/tee-vault-admin.sig > ~/sign_admin_tee.json
(id=$(docker create teepot-vault-admin-sgx-azure); docker cp $id:/app/teepot-vault-admin-sgx-azure.sig ~/teepot-vault-admin-sgx-azure.sig; docker rm -v $id)
cargo run -p vault-admin -- create-sign-request --tee-name admin ~/teepot-vault-admin-sgx-azure.sig > ~/sign_admin_tee.json
vim sign_admin_tee.json
gpg --local-user test@example.com --detach-sign --armor ~/sign_admin_tee.json
RUST_LOG=info cargo run -p vault-admin -- \
@ -91,8 +92,8 @@ Attributes:
```bash
docker compose build && (docker compose rm; docker volume rm teepot_vault-storage teepot_ha-raft-1 teepot_shared-1 teepot_ha-raft-2 teepot_shared-2 teepot_ha-raft-3 teepot_shared-3; docke
r compose up --remove-orphans vault-1 tvu-1)
(id=$(docker create teepot-admin); docker cp $id:/app/tee-vault-admin.sig ~/tee-vault-admin.sig; docker rm -v $id)
gramine-sgx-sigstruct-view ~/tee-vault-admin.sig
(id=$(docker create teepot-vault-admin-sgx-azure); docker cp $id:/app/teepot-vault-admin-sgx-azure.sig ~/teepot-vault-admin-sgx-azure.sig; docker rm -v $id)
gramine-sgx-sigstruct-view ~/teepot-vault-admin-sgx-azure.sig
Attributes:
mr_signer: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d
mr_enclave: 265ca491bf13e2486fd67d12038fcce02f133c5d91277e42f58c0ab464d5b46b
@ -117,10 +118,10 @@ Passphrase:
## Kubernetes
Find out the `mr_enclave` value of the tee-vault-admin enclave and extract the sigstruct file:
Find out the `mr_enclave` value of the teepot-vault-admin-sgx-azure enclave and extract the sigstruct file:
```bash
docker run -v .:/mnt --pull always -it matterlabsrobot/teepot-tva:latest 'gramine-sgx-sigstruct-view tee-vault-admin.sig; cp tee-vault-admin.sig /mnt'
docker run -v .:/mnt --pull always -it matterlabsrobot/teepot-vault-admin-sgx-azure:latest 'gramine-sgx-sigstruct-view teepot-vault-admin-sgx-azure.sig; cp teepot-vault-admin-sgx-azure.sig /mnt'
[...]
Attributes:
mr_signer: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d
@ -128,8 +129,8 @@ Attributes:
isv_prod_id: 0
isv_svn: 0
debug_enclave: False
ls -l ~/tee-vault-admin.sig
-rw-r--r--. 1 harald harald 1808 2. Nov 10:46 tee-vault-admin.sig
ls -l ~/teepot-vault-admin-sgx-azure.sig
-rw-r--r--. 1 harald harald 1808 2. Nov 10:46 teepot-vault-admin-sgx-azure.sig
```
Start the vault service and pod and forward the port
@ -145,7 +146,8 @@ Start the vault service and pod and forward the port
Initialize the instance.
This can take up to 6 minutes, depending on the `performance_multiplier` setting in vault.
Adjust the `--admin-tee-mrenclave` parameter to match the `mr_enclave` value of the tee-vault-admin container.
Adjust the `--admin-tee-mrenclave` parameter to match the `mr_enclave` value of the teepot-vault-admin-sgx-azure
container.
```bash
RUST_LOG=info cargo run -p vault-unseal -- \
@ -209,40 +211,40 @@ The vault cluster should now settle to be completely unsealed and synced.
Start the vault-admin pod and forward the port:
```bash
kubectl port-forward pods/tee-vault-admin 8444
kubectl port-forward pods/teepot-vault-admin-sgx-azure 8444
```
Next is to sign the admin tee with the vault-admin tool:
```bash
cargo run -p vault-admin -- create-sign-request --tee-name admin ~/tee-vault-admin.sig > ~/tee-vault-admin.json
gpg --local-user test@example.com --detach-sign --armor ~/tee-vault-admin.json
cargo run -p vault-admin -- create-sign-request --tee-name admin ~/teepot-vault-admin-sgx-azure.sig > ~/teepot-vault-admin-sgx-azure.json
gpg --local-user test@example.com --detach-sign --armor ~/teepot-vault-admin-sgx-azure.json
cargo run -p vault-admin -- command \
--server https://127.0.0.1:8444 \
--sgx-allowed-tcb-levels SwHardeningNeeded \
--out ~/tee-vault-admin-new.sig \
~/tee-vault-admin.json ~/tee-vault-admin.json.asc
--out ~/teepot-vault-admin-sgx-azure-new.sig \
~/teepot-vault-admin-sgx-azure.json ~/teepot-vault-admin-sgx-azure.json.asc
```
Then replace `tee-vault-admin.sig` with `tee-vault-admin-new.sig` in the container
image `matterlabsrobot/teepot-tva:latest` with this Dockerfile:
Then replace `teepot-vault-admin-sgx-azure.sig` with `teepot-vault-admin-sgx-azure-new.sig` in the container
image `matterlabsrobot/teepot-vault-admin-sgx-azure:latest` with this Dockerfile:
```Dockerfile
FROM matterlabsrobot/teepot-tva:latest
COPY tee-vault-admin-new.sig /app/tee-vault-admin.sig
FROM matterlabsrobot/teepot-vault-admin-sgx-azure:latest
COPY teepot-vault-admin-sgx-azure-new.sig /app/teepot-vault-admin-sgx-azure.sig
```
Build and push the new image:
```bash
docker build -t matterlabsrobot/teepot-tva-signed:latest .
docker push matterlabsrobot/teepot-tva-signed:latest
docker build -t matterlabsrobot/teepot-vault-admin-sgx-azure-signed:latest .
docker push matterlabsrobot/teepot-vault-admin-sgx-azure-signed:latest
```
Delete the old vault-admin pod and start the new one:
```bash
kubectl delete pod/tee-vault-admin
kubectl delete pod/teepot-vault-admin-sgx-azure
kubectl apply -f examples/k8s/vault-admin-signed-pod.yaml
```

4
examples/k8s/vault-1-pod.yaml
View file

@ -27,7 +27,7 @@ spec:
imagePullSecrets:
- name: docker-regcred
containers:
- image: matterlabsrobot/teepot-vault:latest
- image: matterlabsrobot/teepot-vault-sgx-azure:latest
name: vault
imagePullPolicy: Always
env:
@ -64,7 +64,7 @@ spec:
name: shared-1
- mountPath: /opt/vault/data
name: data-1
- image: matterlabsrobot/teepot-tvu:latest
- image: matterlabsrobot/teepot-vault-unseal-sgx-azure:latest
name: vault-unseal
imagePullPolicy: Always
env:

4
examples/k8s/vault-2-pod.yaml
View file

@ -27,7 +27,7 @@ spec:
imagePullSecrets:
- name: docker-regcred
containers:
- image: matterlabsrobot/teepot-vault:latest
- image: matterlabsrobot/teepot-vault-sgx-azure:latest
name: vault
imagePullPolicy: Always
env:
@ -64,7 +64,7 @@ spec:
name: shared-2
- mountPath: /opt/vault/data
name: data-2
- image: matterlabsrobot/teepot-tvu:latest
- image: matterlabsrobot/teepot-vault-unseal-sgx-azure:latest
name: vault-unseal
imagePullPolicy: Always
env:

4
examples/k8s/vault-3-pod.yaml
View file

@ -27,7 +27,7 @@ spec:
imagePullSecrets:
- name: docker-regcred
containers:
- image: matterlabsrobot/teepot-vault:latest
- image: matterlabsrobot/teepot-vault-sgx-azure:latest
name: vault
imagePullPolicy: Always
env:
@ -64,7 +64,7 @@ spec:
name: shared-3
- mountPath: /opt/vault/data
name: data-3
- image: matterlabsrobot/teepot-tvu:latest
- image: matterlabsrobot/teepot-vault-unseal-sgx-azure:latest
name: vault-unseal
imagePullPolicy: Always
env:

2
packages/container-self-attestation-test-sgx-azure/default.nix
View file

@ -6,7 +6,7 @@
, teepot
, nixsgx
, container-name ? "teepot-self-attestation-test-sgx-azure"
, tag ? "latest"
, tag ? null
, isAzure ? true
}:
pkgs.callPackage inputs.nixsgx-flake.lib.mkSGXContainer {

4
packages/container-vault-admin-sgx-azure/default.nix
View file

@ -6,8 +6,8 @@
, teepot
, nixsgx
, container-name ? "teepot-vault-admin-sgx-azure"
, tag ? "latest"
, isAzure ? true
, tag ? null
, isAzure ? null
}:
pkgs.callPackage inputs.nixsgx-flake.lib.mkSGXContainer {
name = container-name;

30
packages/container-vault-admin/default.nix Normal file
View file

@ -0,0 +1,30 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
{ dockerTools
, buildEnv
, teepot
, openssl
, curl
, nixsgx
}:
dockerTools.buildLayeredImage {
name = "vault-admin";
config.Entrypoint = [ "${teepot.teepot.vault_admin}/bin/vault-admin" ];
contents = buildEnv {
name = "image-root";
paths = with dockerTools; with nixsgx;[
openssl.out
curl.out
sgx-dcap.quote_verify
sgx-dcap.default_qpl
usrBinEnv
binSh
caCertificates
fakeNss
teepot.teepot.vault_admin
];
pathsToLink = [ "/bin" "/lib" "/etc" ];
};
}

2
packages/container-vault-sgx-azure/default.nix
View file

@ -8,7 +8,7 @@
, vat
, vault
, container-name ? "teepot-vault-sgx-azure"
, tag ? "latest"
, tag ? null
, isAzure ? true
}:
let

2
packages/container-vault-unseal-sgx-azure/default.nix
View file

@ -7,7 +7,7 @@
, nixsgx
, vat
, container-name ? "teepot-vault-unseal-sgx-azure"
, tag ? "latest"
, tag ? null
, isAzure ? true
}:
pkgs.callPackage inputs.nixsgx-flake.lib.mkSGXContainer {

9
packages/container-vault-unseal/default.nix
View file

@ -1,23 +1,24 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
{ dockerTools
, nixsgx
, teepot
, buildEnv
, teepot
, openssl
, curl
, nixsgx
}:
dockerTools.buildLayeredImage {
name = "vault-unseal";
tag = "latest";
config.Entrypoint = [ "${teepot.teepot.vault_unseal}/bin/vault-unseal" ];
contents = buildEnv {
name = "image-root";
paths = with dockerTools; with nixsgx;[
azure-dcap-client
openssl.out
curl.out
sgx-dcap.quote_verify
sgx-dcap.default_qpl
usrBinEnv
binSh
caCertificates

1
packages/container-verify-attestation-sgx/default.nix
View file

@ -9,7 +9,6 @@
}:
dockerTools.buildLayeredImage {
name = "verify-attestation-sgx";
tag = "latest";
config.Cmd = [ "${teepot.teepot.verify_attestation}/bin/verify-attestation" ];
config.Env = [ "LD_LIBRARY_PATH=/lib" ];