From de06acbef97259e22d9002300306ff246196438f Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Wed, 12 Jun 2024 13:15:50 +0200 Subject: [PATCH] fix: don't tag the nix produced container with `latest` leave it to the github workflow on push to main Signed-off-by: Harald Hoyer --- .../default.nix | 2 +- .../default.nix | 4 +-- packages/container-vault-admin/default.nix | 28 +++++++++++++++++++ .../container-vault-sgx-azure/default.nix | 2 +- .../default.nix | 2 +- packages/container-vault-unseal/default.nix | 1 - .../default.nix | 1 - 7 files changed, 33 insertions(+), 7 deletions(-) create mode 100644 packages/container-vault-admin/default.nix diff --git a/packages/container-self-attestation-test-sgx-azure/default.nix b/packages/container-self-attestation-test-sgx-azure/default.nix index 56a061b..cdc240e 100644 --- a/packages/container-self-attestation-test-sgx-azure/default.nix +++ b/packages/container-self-attestation-test-sgx-azure/default.nix @@ -6,7 +6,7 @@ , teepot , nixsgx , container-name ? "teepot-self-attestation-test-sgx-azure" -, tag ? "latest" +, tag ? null , isAzure ? true }: pkgs.callPackage inputs.nixsgx-flake.lib.mkSGXContainer { diff --git a/packages/container-vault-admin-sgx-azure/default.nix b/packages/container-vault-admin-sgx-azure/default.nix index 975d9b9..c2e7820 100644 --- a/packages/container-vault-admin-sgx-azure/default.nix +++ b/packages/container-vault-admin-sgx-azure/default.nix @@ -6,8 +6,8 @@ , teepot , nixsgx , container-name ? "teepot-vault-admin-sgx-azure" -, tag ? "latest" -, isAzure ? true +, tag ? null +, isAzure ? null }: pkgs.callPackage inputs.nixsgx-flake.lib.mkSGXContainer { name = container-name; diff --git a/packages/container-vault-admin/default.nix b/packages/container-vault-admin/default.nix new file mode 100644 index 0000000..235ddd7 --- /dev/null +++ b/packages/container-vault-admin/default.nix @@ -0,0 +1,28 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) 2024 Matter Labs +{ dockerTools +, nixsgx +, teepot +, buildEnv +, curl +}: +dockerTools.buildLayeredImage { + name = "vault-unseal"; + + config.Entrypoint = [ "${teepot.teepot.vault_unseal}/bin/vault-unseal" ]; + + contents = buildEnv { + name = "image-root"; + paths = with dockerTools; with nixsgx;[ + azure-dcap-client + curl.out + sgx-dcap.quote_verify + usrBinEnv + binSh + caCertificates + fakeNss + teepot.teepot.vault_unseal + ]; + pathsToLink = [ "/bin" "/lib" "/etc" ]; + }; +} diff --git a/packages/container-vault-sgx-azure/default.nix b/packages/container-vault-sgx-azure/default.nix index 35cab91..6935c5e 100644 --- a/packages/container-vault-sgx-azure/default.nix +++ b/packages/container-vault-sgx-azure/default.nix @@ -8,7 +8,7 @@ , vat , vault , container-name ? "teepot-vault-sgx-azure" -, tag ? "latest" +, tag ? null , isAzure ? true }: let diff --git a/packages/container-vault-unseal-sgx-azure/default.nix b/packages/container-vault-unseal-sgx-azure/default.nix index 56d2989..90ada64 100644 --- a/packages/container-vault-unseal-sgx-azure/default.nix +++ b/packages/container-vault-unseal-sgx-azure/default.nix @@ -7,7 +7,7 @@ , nixsgx , vat , container-name ? "teepot-vault-unseal-sgx-azure" -, tag ? "latest" +, tag ? null , isAzure ? true }: pkgs.callPackage inputs.nixsgx-flake.lib.mkSGXContainer { diff --git a/packages/container-vault-unseal/default.nix b/packages/container-vault-unseal/default.nix index 22a4387..235ddd7 100644 --- a/packages/container-vault-unseal/default.nix +++ b/packages/container-vault-unseal/default.nix @@ -8,7 +8,6 @@ }: dockerTools.buildLayeredImage { name = "vault-unseal"; - tag = "latest"; config.Entrypoint = [ "${teepot.teepot.vault_unseal}/bin/vault-unseal" ]; diff --git a/packages/container-verify-attestation-sgx/default.nix b/packages/container-verify-attestation-sgx/default.nix index 2918514..3d88a1a 100644 --- a/packages/container-verify-attestation-sgx/default.nix +++ b/packages/container-verify-attestation-sgx/default.nix @@ -9,7 +9,6 @@ }: dockerTools.buildLayeredImage { name = "verify-attestation-sgx"; - tag = "latest"; config.Cmd = [ "${teepot.teepot.verify_attestation}/bin/verify-attestation" ]; config.Env = [ "LD_LIBRARY_PATH=/lib" ];