feat: build the container image with nix

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
2025-07-21 07:43:57 +02:00 · 2024-02-13 13:00:57 +01:00 · 2024-02-13 13:00:57 +01:00 · 4fabbf8f3f
commit 4fabbf8f3f
parent b0653b4246
7 changed files with 117 additions and 185 deletions
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@ -1,41 +0,0 @@
 name: Container
 on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
 permissions:
  packages: write
  contents: read
 jobs:
  push_to_registry:
    name: Build and push containers image to GitHub Packages
    runs-on: ubuntu-latest
    steps:
      - name: Check out the repo
        uses: actions/checkout@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up env
        run: echo "repository_owner=${GITHUB_REPOSITORY_OWNER,,}" >>${GITHUB_ENV}
      - name: Build and Push Container
        uses: docker/build-push-action@v5
        with:
          tags: |
            ghcr.io/${{env.repository_owner}}/${{ github.event.repository.name }}:latest
            matterlabsrobot/${{ github.event.repository.name }}:latest
          push: ${{ github.event_name == 'push' ||  github.event_name == 'schedule' }}
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@ -1,40 +0,0 @@
 # This workflow will build a golang project
 # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
 name: Go
 on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Prep
        run: |
          wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
          sudo bash -c 'echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list'
          sudo apt -o Acquire::Retries=3 update
          sudo apt -o Acquire::Retries=3 install -y --no-install-recommends \
            libsgx-headers \
            libsgx-enclave-common \
            libsgx-urts \
            libsgx-dcap-quote-verify \
            libsgx-dcap-quote-verify-dev
      - uses: actions/checkout@v4
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: 1.21.4
      - name: Build
        run: go build -v ./...
      - name: Test
        run: go test -v ./...
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@ -0,0 +1,63 @@
 name: nix
 on:
  pull_request:
    branches: [ "main" ]
  push:
    branches: [ "main" ]
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
      - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
      - run: nix flake check -L --show-trace --keep-going
  fmt:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
      - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
      - run: nix fmt
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
      - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
        with:
          extra_nix_config: |
            access-tokens = github.com=${{ github.token }}
      - uses: cachix/cachix-action@v14
        continue-on-error: true
        with:
          name: vault-auth-tee
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
          extraPullNames: nixsgx
      - name: nix build
        run: nix run nixpkgs#nixci
      - name: nix docker image
        run: |
          nix build .#dockerImage
          docker load -i result
      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Build and Push Container
        uses: docker/build-push-action@v5
        with:
          tags: matterlabsrobot/vault-auth-tee:latest
          push: ${{ github.event_name == 'push' ||  github.event_name == 'schedule' }}
--- a/54
+++ b/54
@ -1,53 +1 @@
-FROM docker.io/ubuntu:20.04 AS pluginbuilder
+FROM vault-auth-tee:test
 ARG VERSION=1.20.4
 ARG CGO_ENABLED=1
 ARG BUILD_TAGS="default"
 ENV JOBS=2
 RUN set -eux; \
    DEBIAN_FRONTEND=noninteractive apt-get update -y; \
    DEBIAN_FRONTEND=noninteractive apt-get install -y -q curl; \
    :
 RUN set -eux; \
    curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key; \
    echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list; \
    DEBIAN_FRONTEND=noninteractive apt-get update; \
    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        build-essential \
        cmake \
        rsync \
        pkg-config \
        libssl-dev \
        libcurl4-openssl-dev \
        libprotobuf-dev \
        protobuf-compiler \
        clang \
        libsgx-headers \
        libsgx-dcap-quote-verify-dev \
    ; \
    :
 RUN mkdir /goroot && mkdir /go
 RUN curl https://storage.googleapis.com/golang/go${VERSION}.linux-amd64.tar.gz \
           | tar xvzf - -C /goroot --strip-components=1
 ENV GOPATH /go
 ENV GOROOT /goroot
 ENV PATH $GOROOT/bin:$GOPATH/bin:$PATH
 WORKDIR /
 RUN --mount=type=cache,target=/root/.cache --mount=type=cache,target=/go --mount=type=bind,target=/data  \
    set -eux; \
    mkdir -p /go/src/github.com/matter-labs/vault-auth-tee; \
    cd /go/src/github.com/matter-labs/vault-auth-tee; \
    rsync -a --delete-after /data/ ./ ; \
    CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -o vault-auth-tee cmd/vault-auth-tee/main.go ; \
    mkdir -p /opt/vault/plugins; \
    cp vault-auth-tee /opt/vault/plugins/vault-auth-tee; \
    :
 FROM scratch
 WORKDIR /opt/vault/plugins
 COPY --from=pluginbuilder /opt/vault/plugins/vault-auth-tee /opt/vault/plugins/vault-auth-tee
--- a/flake.lock
+++ b/flake.lock
@ -52,23 +52,18 @@
        "type": "github"
      }
    },
-    "gitignore": {
+    "nix-filter": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1703887061,
+        "lastModified": 1705332318,
-        "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=",
+        "narHash": "sha256-kcw1yFeJe9N4PjQji9ZeX47jg0p9A0DuU4djKvg1a7I=",
-        "owner": "hercules-ci",
+        "owner": "numtide",
-        "repo": "gitignore.nix",
+        "repo": "nix-filter",
-        "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5",
+        "rev": "3449dc925982ad46246cfc36469baf66e1b64f17",
        "type": "github"
      },
      "original": {
-        "owner": "hercules-ci",
+        "owner": "numtide",
-        "repo": "gitignore.nix",
+        "repo": "nix-filter",
        "type": "github"
      }
    },
@ -111,7 +106,7 @@
    },
    "root": {
      "inputs": {
-        "gitignore": "gitignore",
+        "nix-filter": "nix-filter",
        "nixpkgs": "nixpkgs",
        "nixsgx-flake": "nixsgx-flake"
      }
--- a/flake.nix
+++ b/flake.nix
@ -2,47 +2,62 @@
  description = "vault auth plugin for remote attestation of TEEs";
  inputs = {
    # for libsgx-dcap-quote-verify
    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
    nix-filter.url = "github:numtide/nix-filter";
    nixsgx-flake = {
      url = "github:matter-labs/nixsgx";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    gitignore = {
      url = "github:hercules-ci/gitignore.nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
-  outputs = { self, nixpkgs, gitignore, nixsgx-flake, ... }:
+  outputs = { self, nixpkgs, nixsgx-flake, nix-filter, ... }:
    let
      system = "x86_64-linux";
      filter = nix-filter.lib;
      pkgs = import nixpkgs { inherit system; overlays = [ nixsgx-flake.overlays.default ]; };
      bin = pkgs.buildGoModule {
-          buildInputs = with pkgs; [
+        buildInputs = with pkgs; [
-            nixsgx.sgx-sdk
+          nixsgx.sgx-sdk
-            nixsgx.sgx-dcap
+          nixsgx.sgx-dcap
-            nixsgx.sgx-dcap.quote_verify
+          nixsgx.sgx-dcap.quote_verify
          ];
        CGO_CFLAGS =
          "-I${pkgs.nixsgx.sgx-dcap}/include -I${pkgs.nixsgx.sgx-sdk}/include";
        LDFLAGS = "-L${pkgs.nixsgx.sgx-dcap}/lib";
        name = "vault-auth-tee";
        src = gitignore.lib.gitignoreSource ./.;
        vendorHash = "sha256-lhc4Fs+jGVYnd3vUWWXpebuBsPz6vbr1bCGwdyIPeKU=";
      };
      dockerImage = pkgs.dockerTools.buildImage {
        name = "vault-auth-tee";
        tag = "latest";
        copyToRoot = [
          bin
          # pkgs.vault
        ];
-        #config = { Cmd = [ "${bin}/bin/vault" ]; };
+
        name = "vault-auth-tee";
        src = filter {
          root = ./.;
          include = [
            ./go.mod
            ./go.sum
            "cmd"
            "test-fixtures"
            (filter.matchExt "go")
          ];
        };
        vendorHash = "sha256-t59C0yzJzFAXNXYOFbta2g5CYlkfvlukq42cxCwLaGY=";
      };
      dockerImage = pkgs.dockerTools.buildLayeredImage {
        name = "vault-auth-tee";
        tag = "test";
        config.Entrypoint = [ "/bin/sh" ];
        contents = pkgs.buildEnv {
          name = "image-root";
          paths = with pkgs.dockerTools; [
            bin
            pkgs.vault
            usrBinEnv
            binSh
            caCertificates
            fakeNss
          ];
          pathsToLink = [ "/bin" "/etc" ];
        };
      };
    in
    with pkgs; {
@ -53,7 +68,7 @@
      };
      devShells.x86_64-linux.default = mkShell {
        inputsFrom = [ bin ];
-        buildInputs = with pkgs; [ dive go_1_19 gotools mypkgs.sgx-sdk mypkgs.libsgx-dcap-quote-verify ];
+        nativeBuildInputs = with pkgs; [ dive go_1_21 ];
      };
    };
 }
--- a/go.sum
+++ b/go.sum
@ -827,8 +827,6 @@ github.com/hashicorp/vault-plugin-secrets-openldap v0.12.0 h1:tAGJwjgu/NlHwIJeL/
 github.com/hashicorp/vault-plugin-secrets-openldap v0.12.0/go.mod h1:9Jvrdmtc2/f4V1M33wGgtiXHdTtCC6l5pbMfInTurzc=
 github.com/hashicorp/vault-plugin-secrets-terraform v0.7.3 h1:k5jCx6laFvQHvrQod+TSHSoDqF3ZSIlQB4Yzj6koz0I=
 github.com/hashicorp/vault-plugin-secrets-terraform v0.7.3/go.mod h1:yqCovAKNUNYnNrs5Wh95aExpsWEU45GB9FV7EquaSbA=
 github.com/hashicorp/vault/api v1.11.0 h1:AChWByeHf4/P9sX3Y1B7vFsQhZO2BgQiCMQ2SA1P1UY=
 github.com/hashicorp/vault/api v1.11.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck=
 github.com/hashicorp/vault/api v1.12.0 h1:meCpJSesvzQyao8FCOgk2fGdoADAnbDu2WPJN1lDLJ4=
 github.com/hashicorp/vault/api v1.12.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck=
 github.com/hashicorp/vault/sdk v0.11.0 h1:KP/tBUywaVcvOebAfMPNCCiXKeCNEbm3JauYmrZd7RI=
@ -1443,8 +1441,6 @@ golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
 golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
 golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
 golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@ -1635,8 +1631,6 @@ golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
 golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
@ -1645,8 +1639,6 @@ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuX
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE=
 golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=