harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-22 23:44:48 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #117 from matter-labs/container-push

Browse source 
ci: fix and revise docker push strategy
This commit is contained in:
Harald Hoyer 2024-06-12 14:59:40 +02:00 committed by GitHub
commit 8e1759901f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
12 changed files with 100 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

53
.github/workflows/nix.yml vendored
View file

@ -51,7 +51,6 @@ jobs:
push_to_docker: push_to_docker:
needs: build needs: build
if: ${{ github.event_name == 'push' }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.config.nixpackage }} group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.config.nixpackage }}
@ -60,11 +59,13 @@ jobs:
fail-fast: false fail-fast: false
matrix: matrix:
config: config:
- { nixpackage: 'container-vault-sgx-azure', dockerfile: 'packages/container-vault-sgx-azure/Dockerfile', repository: 'teepot-vault' } - { nixpackage: 'container-vault-sgx-azure' }
- { nixpackage: 'container-vault-unseal-sgx-azure', dockerfile: 'packages/container-vault-unseal-sgx-azure/Dockerfile', repository: 'teepot-tvu' } - { nixpackage: 'container-vault-unseal-sgx-azure' }
- { nixpackage: 'container-vault-admin-sgx-azure', dockerfile: 'packages/container-vault-admin-sgx-azure/Dockerfile', repository: 'teepot-tva' } - { nixpackage: 'container-vault-admin-sgx-azure' }
- { nixpackage: 'container-self-attestation-test-sgx-dcap', dockerfile: 'packages/container-self-attestation-test-sgx-dcap/Dockerfile', repository: 'teepot-self-attestation-test-sgx-dcap' } - { nixpackage: 'container-vault-unseal' }
- { nixpackage: 'container-self-attestation-test-sgx-azure', dockerfile: 'packages/container-self-attestation-test-sgx-azure/Dockerfile', repository: 'teepot-self-attestation-test-sgx-azure' } - { nixpackage: 'container-vault-admin' }
- { nixpackage: 'container-self-attestation-test-sgx-dcap' }
- { nixpackage: 'container-self-attestation-test-sgx-azure' }
- { nixpackage: 'container-verify-attestation-sgx' } - { nixpackage: 'container-verify-attestation-sgx' }
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@ -86,30 +87,36 @@ jobs:
username: ${{ secrets.DOCKERHUB_USER }} username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }} password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Load and Push nix container - name: Load container
id: build
run: | run: |
nix build -L .#${{ matrix.config.nixpackage }} nix build --accept-flake-config -L .#${{ matrix.config.nixpackage }}
export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*') export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*')
echo "Pushing image ${IMAGE_TAG} to Docker Hub" echo "IMAGE_TAG=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
docker tag "${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG}" echo "IMAGE_NAME=${IMAGE_TAG%:*}" >> "$GITHUB_OUTPUT"
docker push matterlabsrobot/"${IMAGE_TAG}"
docker tag matterlabsrobot/"${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG%:*}:latest" - name: Push container
docker push matterlabsrobot/"${IMAGE_TAG%:*}:latest" run: |
echo "Pushing image ${{ steps.build.outputs.IMAGE_TAG }} to Docker Hub"
docker tag "${{ steps.build.outputs.IMAGE_TAG }}" matterlabsrobot/"${{ steps.build.outputs.IMAGE_TAG }}"
docker push matterlabsrobot/"${{ steps.build.outputs.IMAGE_TAG }}"
- name: Tag container as latest
if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
run: |
docker tag "${{ steps.build.outputs.IMAGE_TAG }}" matterlabsrobot/"${{ steps.build.outputs.IMAGE_NAME }}:latest"
docker push matterlabsrobot/"${{ steps.build.outputs.IMAGE_NAME }}:latest"
- name: Generate build ID for Flux Image Automation - name: Generate build ID for Flux Image Automation
if: ${{ matrix.config.dockerfile }} if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
id: buildid id: buildid
run: | run: |
sha=$(git rev-parse --short HEAD) sha=$(git rev-parse --short HEAD)
ts=$(date +%s%N | cut -b1-13) ts=$(date +%s%N | cut -b1-13)
echo "BUILD_ID=${sha}-${ts}" >> "$GITHUB_OUTPUT" echo "BUILD_ID=${sha}-${ts}" >> "$GITHUB_OUTPUT"
- name: Build and Push Container - name: Push Docker image to matterlabs-infra
if: ${{ matrix.config.dockerfile }} if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
uses: docker/build-push-action@v5 run: |
with: docker tag "${{ steps.build.outputs.IMAGE_TAG }}" matterlabsrobot/"${{ steps.build.outputs.IMAGE_NAME }}::${{ steps.buildid.outputs.BUILD_ID }}"
file: ${{ matrix.config.dockerfile }} docker push matterlabsrobot/"${{ steps.build.outputs.IMAGE_NAME }}::${{ steps.buildid.outputs.BUILD_ID }}"
tags: |
"matterlabsrobot/${{ matrix.config.repository }}:latest"
"matterlabsrobot/${{ matrix.config.repository }}:${{ steps.buildid.outputs.BUILD_ID }}"
push: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}

46
examples/README.md
View file

@ -47,12 +47,13 @@ Vault is unsealed!
``` ```
With `teepot-admin` being the name of the image running the tee-vault-admin service, the following commands can be used With `teepot-vault-admin-sgx-azure` being the name of the image running the teepot-vault-admin-sgx-azure service, the
following commands can be used
to sign the admin tee: to sign the admin tee:
```bash ```bash
(id=$(docker create teepot-admin); docker cp $id:/app/tee-vault-admin.sig ~/tee-vault-admin.sig; docker rm -v $id) (id=$(docker create teepot-vault-admin-sgx-azure); docker cp $id:/app/teepot-vault-admin-sgx-azure.sig ~/teepot-vault-admin-sgx-azure.sig; docker rm -v $id)
cargo run -p vault-admin -- create-sign-request --tee-name admin ~/tee-vault-admin.sig > ~/sign_admin_tee.json cargo run -p vault-admin -- create-sign-request --tee-name admin ~/teepot-vault-admin-sgx-azure.sig > ~/sign_admin_tee.json
vim sign_admin_tee.json vim sign_admin_tee.json
gpg --local-user test@example.com --detach-sign --armor ~/sign_admin_tee.json gpg --local-user test@example.com --detach-sign --armor ~/sign_admin_tee.json
RUST_LOG=info cargo run -p vault-admin -- \ RUST_LOG=info cargo run -p vault-admin -- \
@ -91,8 +92,8 @@ Attributes:
```bash ```bash
docker compose build && (docker compose rm; docker volume rm teepot_vault-storage teepot_ha-raft-1 teepot_shared-1 teepot_ha-raft-2 teepot_shared-2 teepot_ha-raft-3 teepot_shared-3; docke docker compose build && (docker compose rm; docker volume rm teepot_vault-storage teepot_ha-raft-1 teepot_shared-1 teepot_ha-raft-2 teepot_shared-2 teepot_ha-raft-3 teepot_shared-3; docke
r compose up --remove-orphans vault-1 tvu-1) r compose up --remove-orphans vault-1 tvu-1)
(id=$(docker create teepot-admin); docker cp $id:/app/tee-vault-admin.sig ~/tee-vault-admin.sig; docker rm -v $id) (id=$(docker create teepot-vault-admin-sgx-azure); docker cp $id:/app/teepot-vault-admin-sgx-azure.sig ~/teepot-vault-admin-sgx-azure.sig; docker rm -v $id)
gramine-sgx-sigstruct-view ~/tee-vault-admin.sig gramine-sgx-sigstruct-view ~/teepot-vault-admin-sgx-azure.sig
Attributes: Attributes:
mr_signer: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d mr_signer: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d
mr_enclave: 265ca491bf13e2486fd67d12038fcce02f133c5d91277e42f58c0ab464d5b46b mr_enclave: 265ca491bf13e2486fd67d12038fcce02f133c5d91277e42f58c0ab464d5b46b
@ -117,10 +118,10 @@ Passphrase:
## Kubernetes ## Kubernetes
Find out the `mr_enclave` value of the tee-vault-admin enclave and extract the sigstruct file: Find out the `mr_enclave` value of the teepot-vault-admin-sgx-azure enclave and extract the sigstruct file:
```bash ```bash
docker run -v .:/mnt --pull always -it matterlabsrobot/teepot-tva:latest 'gramine-sgx-sigstruct-view tee-vault-admin.sig; cp tee-vault-admin.sig /mnt' docker run -v .:/mnt --pull always -it matterlabsrobot/teepot-vault-admin-sgx-azure:latest 'gramine-sgx-sigstruct-view teepot-vault-admin-sgx-azure.sig; cp teepot-vault-admin-sgx-azure.sig /mnt'
[...] [...]
Attributes: Attributes:
mr_signer: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d mr_signer: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d
@ -128,8 +129,8 @@ Attributes:
isv_prod_id: 0 isv_prod_id: 0
isv_svn: 0 isv_svn: 0
debug_enclave: False debug_enclave: False
ls -l ~/tee-vault-admin.sig ls -l ~/teepot-vault-admin-sgx-azure.sig
-rw-r--r--. 1 harald harald 1808 2. Nov 10:46 tee-vault-admin.sig -rw-r--r--. 1 harald harald 1808 2. Nov 10:46 teepot-vault-admin-sgx-azure.sig
``` ```
Start the vault service and pod and forward the port Start the vault service and pod and forward the port
@ -145,7 +146,8 @@ Start the vault service and pod and forward the port
Initialize the instance. Initialize the instance.
This can take up to 6 minutes, depending on the `performance_multiplier` setting in vault. This can take up to 6 minutes, depending on the `performance_multiplier` setting in vault.
Adjust the `--admin-tee-mrenclave` parameter to match the `mr_enclave` value of the tee-vault-admin container. Adjust the `--admin-tee-mrenclave` parameter to match the `mr_enclave` value of the teepot-vault-admin-sgx-azure
container.
```bash ```bash
RUST_LOG=info cargo run -p vault-unseal -- \ RUST_LOG=info cargo run -p vault-unseal -- \
@ -209,40 +211,40 @@ The vault cluster should now settle to be completely unsealed and synced.
Start the vault-admin pod and forward the port: Start the vault-admin pod and forward the port:
```bash ```bash
kubectl port-forward pods/tee-vault-admin 8444 kubectl port-forward pods/teepot-vault-admin-sgx-azure 8444
``` ```
Next is to sign the admin tee with the vault-admin tool: Next is to sign the admin tee with the vault-admin tool:
```bash ```bash
cargo run -p vault-admin -- create-sign-request --tee-name admin ~/tee-vault-admin.sig > ~/tee-vault-admin.json cargo run -p vault-admin -- create-sign-request --tee-name admin ~/teepot-vault-admin-sgx-azure.sig > ~/teepot-vault-admin-sgx-azure.json
gpg --local-user test@example.com --detach-sign --armor ~/tee-vault-admin.json gpg --local-user test@example.com --detach-sign --armor ~/teepot-vault-admin-sgx-azure.json
cargo run -p vault-admin -- command \ cargo run -p vault-admin -- command \
--server https://127.0.0.1:8444 \ --server https://127.0.0.1:8444 \
--sgx-allowed-tcb-levels SwHardeningNeeded \ --sgx-allowed-tcb-levels SwHardeningNeeded \
--out ~/tee-vault-admin-new.sig \ --out ~/teepot-vault-admin-sgx-azure-new.sig \
~/tee-vault-admin.json ~/tee-vault-admin.json.asc ~/teepot-vault-admin-sgx-azure.json ~/teepot-vault-admin-sgx-azure.json.asc
``` ```
Then replace `tee-vault-admin.sig` with `tee-vault-admin-new.sig` in the container Then replace `teepot-vault-admin-sgx-azure.sig` with `teepot-vault-admin-sgx-azure-new.sig` in the container
image `matterlabsrobot/teepot-tva:latest` with this Dockerfile: image `matterlabsrobot/teepot-vault-admin-sgx-azure:latest` with this Dockerfile:
```Dockerfile ```Dockerfile
FROM matterlabsrobot/teepot-tva:latest FROM matterlabsrobot/teepot-vault-admin-sgx-azure:latest
COPY tee-vault-admin-new.sig /app/tee-vault-admin.sig COPY teepot-vault-admin-sgx-azure-new.sig /app/teepot-vault-admin-sgx-azure.sig
``` ```
Build and push the new image: Build and push the new image:
```bash ```bash
docker build -t matterlabsrobot/teepot-tva-signed:latest . docker build -t matterlabsrobot/teepot-vault-admin-sgx-azure-signed:latest .
docker push matterlabsrobot/teepot-tva-signed:latest docker push matterlabsrobot/teepot-vault-admin-sgx-azure-signed:latest
``` ```
Delete the old vault-admin pod and start the new one: Delete the old vault-admin pod and start the new one:
```bash ```bash
kubectl delete pod/tee-vault-admin kubectl delete pod/teepot-vault-admin-sgx-azure
kubectl apply -f examples/k8s/vault-admin-signed-pod.yaml kubectl apply -f examples/k8s/vault-admin-signed-pod.yaml
``` ```

4
examples/k8s/vault-1-pod.yaml
View file

@ -27,7 +27,7 @@ spec:
imagePullSecrets: imagePullSecrets:
- name: docker-regcred - name: docker-regcred
containers: containers:
- image: matterlabsrobot/teepot-vault:latest - image: matterlabsrobot/teepot-vault-sgx-azure:latest
name: vault name: vault
imagePullPolicy: Always imagePullPolicy: Always
env: env:
@ -64,7 +64,7 @@ spec:
name: shared-1 name: shared-1
- mountPath: /opt/vault/data - mountPath: /opt/vault/data
name: data-1 name: data-1
- image: matterlabsrobot/teepot-tvu:latest - image: matterlabsrobot/teepot-vault-unseal-sgx-azure:latest
name: vault-unseal name: vault-unseal
imagePullPolicy: Always imagePullPolicy: Always
env: env:

4
examples/k8s/vault-2-pod.yaml
View file

@ -27,7 +27,7 @@ spec:
imagePullSecrets: imagePullSecrets:
- name: docker-regcred - name: docker-regcred
containers: containers:
- image: matterlabsrobot/teepot-vault:latest - image: matterlabsrobot/teepot-vault-sgx-azure:latest
name: vault name: vault
imagePullPolicy: Always imagePullPolicy: Always
env: env:
@ -64,7 +64,7 @@ spec:
name: shared-2 name: shared-2
- mountPath: /opt/vault/data - mountPath: /opt/vault/data
name: data-2 name: data-2
- image: matterlabsrobot/teepot-tvu:latest - image: matterlabsrobot/teepot-vault-unseal-sgx-azure:latest
name: vault-unseal name: vault-unseal
imagePullPolicy: Always imagePullPolicy: Always
env: env:

4
examples/k8s/vault-3-pod.yaml
View file

@ -27,7 +27,7 @@ spec:
imagePullSecrets: imagePullSecrets:
- name: docker-regcred - name: docker-regcred
containers: containers:
- image: matterlabsrobot/teepot-vault:latest - image: matterlabsrobot/teepot-vault-sgx-azure:latest
name: vault name: vault
imagePullPolicy: Always imagePullPolicy: Always
env: env:
@ -64,7 +64,7 @@ spec:
name: shared-3 name: shared-3
- mountPath: /opt/vault/data - mountPath: /opt/vault/data
name: data-3 name: data-3
- image: matterlabsrobot/teepot-tvu:latest - image: matterlabsrobot/teepot-vault-unseal-sgx-azure:latest
name: vault-unseal name: vault-unseal
imagePullPolicy: Always imagePullPolicy: Always
env: env:

2
packages/container-self-attestation-test-sgx-azure/default.nix
View file

@ -6,7 +6,7 @@
, teepot , teepot
, nixsgx , nixsgx
, container-name ? "teepot-self-attestation-test-sgx-azure" , container-name ? "teepot-self-attestation-test-sgx-azure"
, tag ? "latest" , tag ? null
, isAzure ? true , isAzure ? true
}: }:
pkgs.callPackage inputs.nixsgx-flake.lib.mkSGXContainer { pkgs.callPackage inputs.nixsgx-flake.lib.mkSGXContainer {

4
packages/container-vault-admin-sgx-azure/default.nix
View file

@ -6,8 +6,8 @@
, teepot , teepot
, nixsgx , nixsgx
, container-name ? "teepot-vault-admin-sgx-azure" , container-name ? "teepot-vault-admin-sgx-azure"
, tag ? "latest" , tag ? null
, isAzure ? true , isAzure ? null
}: }:
pkgs.callPackage inputs.nixsgx-flake.lib.mkSGXContainer { pkgs.callPackage inputs.nixsgx-flake.lib.mkSGXContainer {
name = container-name; name = container-name;

30
packages/container-vault-admin/default.nix Normal file
View file

@ -0,0 +1,30 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
{ dockerTools
, buildEnv
, teepot
, openssl
, curl
, nixsgx
}:
dockerTools.buildLayeredImage {
name = "vault-admin";
config.Entrypoint = [ "${teepot.teepot.vault_admin}/bin/vault-admin" ];
contents = buildEnv {
name = "image-root";
paths = with dockerTools; with nixsgx;[
openssl.out
curl.out
sgx-dcap.quote_verify
sgx-dcap.default_qpl
usrBinEnv
binSh
caCertificates
fakeNss
teepot.teepot.vault_admin
];
pathsToLink = [ "/bin" "/lib" "/etc" ];
};
}

2
packages/container-vault-sgx-azure/default.nix
View file

@ -8,7 +8,7 @@
, vat , vat
, vault , vault
, container-name ? "teepot-vault-sgx-azure" , container-name ? "teepot-vault-sgx-azure"
, tag ? "latest" , tag ? null
, isAzure ? true , isAzure ? true
}: }:
let let

2
packages/container-vault-unseal-sgx-azure/default.nix
View file

@ -7,7 +7,7 @@
, nixsgx , nixsgx
, vat , vat
, container-name ? "teepot-vault-unseal-sgx-azure" , container-name ? "teepot-vault-unseal-sgx-azure"
, tag ? "latest" , tag ? null
, isAzure ? true , isAzure ? true
}: }:
pkgs.callPackage inputs.nixsgx-flake.lib.mkSGXContainer { pkgs.callPackage inputs.nixsgx-flake.lib.mkSGXContainer {

9
packages/container-vault-unseal/default.nix
View file

@ -1,23 +1,24 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs # Copyright (c) 2024 Matter Labs
{ dockerTools { dockerTools
, nixsgx
, teepot
, buildEnv , buildEnv
, teepot
, openssl
, curl , curl
, nixsgx
}: }:
dockerTools.buildLayeredImage { dockerTools.buildLayeredImage {
name = "vault-unseal"; name = "vault-unseal";
tag = "latest";
config.Entrypoint = [ "${teepot.teepot.vault_unseal}/bin/vault-unseal" ]; config.Entrypoint = [ "${teepot.teepot.vault_unseal}/bin/vault-unseal" ];
contents = buildEnv { contents = buildEnv {
name = "image-root"; name = "image-root";
paths = with dockerTools; with nixsgx;[ paths = with dockerTools; with nixsgx;[
azure-dcap-client openssl.out
curl.out curl.out
sgx-dcap.quote_verify sgx-dcap.quote_verify
sgx-dcap.default_qpl
usrBinEnv usrBinEnv
binSh binSh
caCertificates caCertificates

1
packages/container-verify-attestation-sgx/default.nix
View file

@ -9,7 +9,6 @@
}: }:
dockerTools.buildLayeredImage { dockerTools.buildLayeredImage {
name = "verify-attestation-sgx"; name = "verify-attestation-sgx";
tag = "latest";
config.Cmd = [ "${teepot.teepot.verify_attestation}/bin/verify-attestation" ]; config.Cmd = [ "${teepot.teepot.verify_attestation}/bin/verify-attestation" ];
config.Env = [ "LD_LIBRARY_PATH=/lib" ]; config.Env = [ "LD_LIBRARY_PATH=/lib" ];