harald/vault-auth-tee
1
0
Fork 0
mirror of https://github.com/matter-labs/vault-auth-tee.git synced 2025-07-21 07:43:57 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: build the container image with nix (#36)

Browse source
This commit is contained in:
Harald Hoyer 2024-02-13 14:24:43 +01:00 committed by GitHub
commit beeb93ed62
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 117 additions and 185 deletions
Download patch file Download diff file Expand all files Collapse all files

41
.github/workflows/container.yml vendored
View file

@ -1,41 +0,0 @@
name: Container
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
permissions:
packages: write
contents: read
jobs:
push_to_registry:
name: Build and push containers image to GitHub Packages
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up env
run: echo "repository_owner=${GITHUB_REPOSITORY_OWNER,,}" >>${GITHUB_ENV}
- name: Build and Push Container
uses: docker/build-push-action@v5
with:
tags: |
ghcr.io/${{env.repository_owner}}/${{ github.event.repository.name }}:latest
matterlabsrobot/${{ github.event.repository.name }}:latest
push: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}

40
.github/workflows/go.yml vendored
View file

@ -1,40 +0,0 @@
# This workflow will build a golang project
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
name: Go
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Prep
run: |
wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
sudo bash -c 'echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list'
sudo apt -o Acquire::Retries=3 update
sudo apt -o Acquire::Retries=3 install -y --no-install-recommends \
libsgx-headers \
libsgx-enclave-common \
libsgx-urts \
libsgx-dcap-quote-verify \
libsgx-dcap-quote-verify-dev
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 1.21.4
- name: Build
run: go build -v ./...
- name: Test
run: go test -v ./...

63
.github/workflows/nix.yml vendored Normal file
View file

@ -0,0 +1,63 @@
name: nix
on:
pull_request:
branches: [ "main" ]
push:
branches: [ "main" ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- run: nix flake check -L --show-trace --keep-going
fmt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- run: nix fmt
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- uses: cachix/cachix-action@v14
continue-on-error: true
with:
name: vault-auth-tee
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
extraPullNames: nixsgx
- name: nix build
run: nix run nixpkgs#nixci
- name: nix docker image
run: |
nix build .#dockerImage
docker load -i result
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and Push Container
uses: docker/build-push-action@v5
with:
tags: matterlabsrobot/vault-auth-tee:latest
push: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}

54
Dockerfile
View file

@ -1,53 +1 @@
FROM docker.io/ubuntu:20.04 AS pluginbuilder
ARG VERSION=1.20.4
ARG CGO_ENABLED=1
ARG BUILD_TAGS="default"
ENV JOBS=2
RUN set -eux; \
DEBIAN_FRONTEND=noninteractive apt-get update -y; \
DEBIAN_FRONTEND=noninteractive apt-get install -y -q curl; \
:
RUN set -eux; \
curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key; \
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list; \
DEBIAN_FRONTEND=noninteractive apt-get update; \
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
build-essential \
cmake \
rsync \
pkg-config \
libssl-dev \
libcurl4-openssl-dev \
libprotobuf-dev \
protobuf-compiler \
clang \
libsgx-headers \
libsgx-dcap-quote-verify-dev \
; \
:
RUN mkdir /goroot && mkdir /go
RUN curl https://storage.googleapis.com/golang/go${VERSION}.linux-amd64.tar.gz \
| tar xvzf - -C /goroot --strip-components=1
ENV GOPATH /go
ENV GOROOT /goroot
ENV PATH $GOROOT/bin:$GOPATH/bin:$PATH
WORKDIR /
RUN --mount=type=cache,target=/root/.cache --mount=type=cache,target=/go --mount=type=bind,target=/data \
set -eux; \
mkdir -p /go/src/github.com/matter-labs/vault-auth-tee; \
cd /go/src/github.com/matter-labs/vault-auth-tee; \
rsync -a --delete-after /data/ ./ ; \
CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -o vault-auth-tee cmd/vault-auth-tee/main.go ; \
mkdir -p /opt/vault/plugins; \
cp vault-auth-tee /opt/vault/plugins/vault-auth-tee; \
:
FROM scratch
WORKDIR /opt/vault/plugins
COPY --from=pluginbuilder /opt/vault/plugins/vault-auth-tee /opt/vault/plugins/vault-auth-tee
FROM vault-auth-tee:test

23
flake.lock generated
View file

@ -52,23 +52,18 @@
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"nix-filter": {
"locked": {
"lastModified": 1703887061,
"narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5",
"lastModified": 1705332318,
"narHash": "sha256-kcw1yFeJe9N4PjQji9ZeX47jg0p9A0DuU4djKvg1a7I=",
"owner": "numtide",
"repo": "nix-filter",
"rev": "3449dc925982ad46246cfc36469baf66e1b64f17",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"owner": "numtide",
"repo": "nix-filter",
"type": "github"
}
},
@ -111,7 +106,7 @@
},
"root": {
"inputs": {
"gitignore": "gitignore",
"nix-filter": "nix-filter",
"nixpkgs": "nixpkgs",
"nixsgx-flake": "nixsgx-flake"
}

73
flake.nix
View file

@ -2,47 +2,62 @@
description = "vault auth plugin for remote attestation of TEEs";
inputs = {
# for libsgx-dcap-quote-verify
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
nix-filter.url = "github:numtide/nix-filter";
nixsgx-flake = {
url = "github:matter-labs/nixsgx";
inputs.nixpkgs.follows = "nixpkgs";
};
gitignore = {
url = "github:hercules-ci/gitignore.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, gitignore, nixsgx-flake, ... }:
outputs = { self, nixpkgs, nixsgx-flake, nix-filter, ... }:
let
system = "x86_64-linux";
filter = nix-filter.lib;
pkgs = import nixpkgs { inherit system; overlays = [ nixsgx-flake.overlays.default ]; };
bin = pkgs.buildGoModule {
buildInputs = with pkgs; [
nixsgx.sgx-sdk
nixsgx.sgx-dcap
nixsgx.sgx-dcap.quote_verify
];
CGO_CFLAGS =
"-I${pkgs.nixsgx.sgx-dcap}/include -I${pkgs.nixsgx.sgx-sdk}/include";
LDFLAGS = "-L${pkgs.nixsgx.sgx-dcap}/lib";
name = "vault-auth-tee";
src = gitignore.lib.gitignoreSource ./.;
vendorHash = "sha256-lhc4Fs+jGVYnd3vUWWXpebuBsPz6vbr1bCGwdyIPeKU=";
};
dockerImage = pkgs.dockerTools.buildImage {
name = "vault-auth-tee";
tag = "latest";
copyToRoot = [
bin
# pkgs.vault
buildInputs = with pkgs; [
nixsgx.sgx-sdk
nixsgx.sgx-dcap
nixsgx.sgx-dcap.quote_verify
];
#config = { Cmd = [ "${bin}/bin/vault" ]; };
name = "vault-auth-tee";
src = filter {
root = ./.;
include = [
./go.mod
./go.sum
"cmd"
"test-fixtures"
(filter.matchExt "go")
];
};
vendorHash = "sha256-t59C0yzJzFAXNXYOFbta2g5CYlkfvlukq42cxCwLaGY=";
};
dockerImage = pkgs.dockerTools.buildLayeredImage {
name = "vault-auth-tee";
tag = "test";
config.Entrypoint = [ "/bin/sh" ];
contents = pkgs.buildEnv {
name = "image-root";
paths = with pkgs.dockerTools; [
bin
pkgs.vault
usrBinEnv
binSh
caCertificates
fakeNss
];
pathsToLink = [ "/bin" "/etc" ];
};
};
in
with pkgs; {
@ -53,7 +68,7 @@
};
devShells.x86_64-linux.default = mkShell {
inputsFrom = [ bin ];
buildInputs = with pkgs; [ dive go_1_19 gotools mypkgs.sgx-sdk mypkgs.libsgx-dcap-quote-verify ];
nativeBuildInputs = with pkgs; [ dive go_1_21 ];
};
};
}

8
go.sum
View file

@ -827,8 +827,6 @@ github.com/hashicorp/vault-plugin-secrets-openldap v0.12.0 h1:tAGJwjgu/NlHwIJeL/
github.com/hashicorp/vault-plugin-secrets-openldap v0.12.0/go.mod h1:9Jvrdmtc2/f4V1M33wGgtiXHdTtCC6l5pbMfInTurzc=
github.com/hashicorp/vault-plugin-secrets-terraform v0.7.3 h1:k5jCx6laFvQHvrQod+TSHSoDqF3ZSIlQB4Yzj6koz0I=
github.com/hashicorp/vault-plugin-secrets-terraform v0.7.3/go.mod h1:yqCovAKNUNYnNrs5Wh95aExpsWEU45GB9FV7EquaSbA=
github.com/hashicorp/vault/api v1.11.0 h1:AChWByeHf4/P9sX3Y1B7vFsQhZO2BgQiCMQ2SA1P1UY=
github.com/hashicorp/vault/api v1.11.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck=
github.com/hashicorp/vault/api v1.12.0 h1:meCpJSesvzQyao8FCOgk2fGdoADAnbDu2WPJN1lDLJ4=
github.com/hashicorp/vault/api v1.12.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck=
github.com/hashicorp/vault/sdk v0.11.0 h1:KP/tBUywaVcvOebAfMPNCCiXKeCNEbm3JauYmrZd7RI=
@ -1443,8 +1441,6 @@ golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4
golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@ -1635,8 +1631,6 @@ golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
@ -1645,8 +1639,6 @@ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuX
golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE=
golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=