Skip to content

Commit

Permalink
Update azure-gramine-deploy.yml
Browse files Browse the repository at this point in the history
  • Loading branch information
@maceip
maceip authored Oct 8, 2024
1 parent b4be681 commit 974ca6d
Showing 1 changed file with 115 additions and 32 deletions.
147 changes: 115 additions & 32 deletions .github/workflows/azure-gramine-deploy.yml
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,25 @@
name: azure-tee-release

on:
release:
types: [published]
branches:
- 'releases/**'
on: workflow_dispatch
#on:
# release:
# types: [published]
# branches:
# - 'releases/**'

env:
GIT_COMMIT_HASH: ${{ github.event.pull_request.head.sha || github.sha }}
GIT_COMMIT_TIMESTAMP: ${{ github.event.repository.updated_at}}

jobs:
update-reverse-proxy:
environment: tee
runs-on: ubuntu-latest
runs-on: [self-hosted, linux]
outputs:
teeport: ${{ steps.portbump.outputs.newport}}
steps:
- name: checkout repository
uses: actions/checkout@v4
with:
ref: "dev"
- name: apt
run: |
sudo apt-get update
Expand All @@ -25,20 +29,24 @@ jobs:
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
run: |
DOMAIN=notary.covert.codes
DOMAIN=tee.notary.codes
CADDYFILE_PATH='cd-scripts/tee/azure/Caddyfile'
PORT_FILE='cd-scripts/tee/azure/tags.txt'
START_PORT=6061
handler=$RELEASE_TAG
if [ -z "${RELEASE_TAG}" ]; then
handler=dev
fi
# create ports.txt if it doesn't exist
if [ ! -f "$PORT_FILE" ]; then
echo "health $START_PORT" > $PORT_FILE
fi
# check if the release tag already has a port assigned
ASSIGNED_PORT=$(grep "${RELEASE_TAG}" $PORT_FILE | awk '{print $2}')
ASSIGNED_PORT=$(grep "${handler}" $PORT_FILE | awk '{print $2}')
if [ -z "$ASSIGNED_PORT" ]; then
# find the next available port if this release tag doesn't have one
NEXT_PORT=$(($(tail -n 1 $PORT_FILE | awk '{print $2}') + 1))
echo "${RELEASE_TAG} ${NEXT_PORT}" >> $PORT_FILE
echo "${handler} ${NEXT_PORT}" >> $PORT_FILE
else
NEXT_PORT=$ASSIGNED_PORT
fi
Expand All @@ -49,15 +57,21 @@ jobs:
echo -e "$DOMAIN {\n}" >> $CADDYFILE_PATH
fi
# insert the reverse proxy entry for the new release tag
sed -i "/$DOMAIN {/a \ \ \ \ reverse_proxy /${RELEASE_TAG}* localhost:${NEXT_PORT}" $CADDYFILE_PATH
sed -i "/$DOMAIN {/a \ \ \ \ reverse_proxy /${handler}* localhost:${NEXT_PORT}" $CADDYFILE_PATH
echo "proxying /${handler} to 127.0.0.1/${NEXT_PORT}" | tee >> $GITHUB_STEP_SUMMARY
- name: Commit and push updated Caddyfile
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
run: |
handler=$RELEASE_TAG
if [ -z "${RELEASE_TAG}" ]; then
handler=dev
fi
git config user.name github-actions
git config user.email [email protected]
git add .
git commit -m "azure tee release: ${RELEASE_TAG}"
git commit -m "azure tee release: ${handler}"
git push
- name: Deploy updated Caddyfile to server
uses: appleboy/[email protected]
Expand All @@ -77,44 +91,113 @@ jobs:
script: |
sudo cp ~/cd-scripts/tee/azure/Caddyfile /etc/caddy/Caddyfile
sudo systemctl reload caddy
build-measure-deploy:
build-measure:
environment: tee
runs-on: [self-hosted, linux]
needs: [ update-reverse-proxy ]
container:
image: notaryserverbuilds.azurecr.io/builder/gramine
image: notaryserverbuilds.azurecr.io/prod/gramine
credentials:
username: notaryserverbuilds
password: ${{ secrets.AZURE_CR_BUILDS_PW }}
env:
GIT_COMMIT_HASH: $EVENTTAG
GIT_COMMIT_TIMESTAMP: ${{ github.event.repository.updated_at}}
GIT_COMMIT_HASH: ${{ github.event.pull_request.head.sha || github.sha }}
volumes:
- /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket
options: "--device /dev/sgx_enclave"
steps:
- name: get code
uses: actions/checkout@v4
- name: get emulated measurement
with:
repository: tlsnotary/tlsn
ref: quote-presentation
- name: sccache
if: github.event_name != 'release'
# && github.event_name != 'workflow_dispatch'
uses: mozilla-actions/[email protected]
- name: set rust env for scc
if: github.event_name != 'release'
# && github.event_name != 'workflow_dispatch'
run: |
echo "SCCACHE_GHA_ENABLED=true" >> $GITHUB_ENV
echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV
- name: reverse proxy port
run: echo "${{needs.update-reverse-proxy.outputs.teeport}}" | tee >> $GITHUB_STEP_SUMMARY

- name: get measurement
working-directory: ${{ github.workspace }}/crates/notary/server/fixture/tee
run: |
cd crates/notary/server/fixture/gramine
curl https://sh.rustup.rs -sSf | sh -s -- -y
. "$HOME/.cargo/env"
apt install libssl-dev
gramine-sgx-gen-private-key
make
gramine-sgx-sigstruct-view --verbose --output-format=toml notary-server.sig
- name: get real measurement
gramine-sgx-sign -m notary-server.manifest -o notary-server.sgx
mr_enclave=$(gramine-sgx-sigstruct-view --verbose --output-format=json notary-server.sig |jq .mr_enclave)
echo "mrenclave=$mr_enclave" >> "$GITHUB_OUTPUT"
echo "#### sgx mrenclave" | tee >> $GITHUB_STEP_SUMMARY
echo "\`\`\`${mr_enclave}\`\`\`" | tee >> $GITHUB_STEP_SUMMARY
- name: get quote from notary
working-directory: ${{ github.workspace }}/crates/notary/server/fixture/tee
id: attestation
run: |
cd crates/notary/server/fixture/gramine
SGX=1 make
gramine-sgx-sigstruct-view --verbose --output-format=toml notary-server.sig
- name: get measurement from notary
SGX=1 make
gramine-sgx-sign -m notary-server.manifest -o notary-server.sgx
: # set up the fs like the hosted notary docker container:
mkdir config && cp config.yaml config && mkdir /tee && cp -R ../tee/* /tee/ && cd /tee &&
: # invoke sgx (use gramine-direct to emulate sgx hardware):
gramine-sgx notary-server &
sleep 5
quote=$(curl 127.0.0.1:7047/info | jq .quote.rawQuote)
echo $quote
echo "quote=$quote" >> $GITHUB_OUTPUT
echo "#### 🔒 signed quote ${quote}" | tee >> $GITHUB_STEP_SUMMARY
echo "${quote}" | tee >> $GITHUB_STEP_SUMMARY
artifact-deploy:
environment: tee
runs-on: [self-hosted, linux]
needs: [ build-measure, update-reverse-proxy ]
# outputs:
# result: ${{ steps.artifact.outputs.hash}}
steps:
- name: auth to registry
uses: docker/login-action@v3
with:
registry: notaryserverbuilds.azurecr.io
username: notaryserverbuilds
password: ${{ secrets.AZURE_CR_BUILDS_PW }}
- name: get code
uses: actions/checkout@v4
with:
repository: tlsnotary/tlsn
ref: quote-presentation
- name: sccache
if: github.event_name != 'release'
# && github.event_name != 'workflow_dispatch'
uses: mozilla-actions/[email protected]
- name: set rust env for scc
if: github.event_name != 'release'
# && github.event_name != 'workflow_dispatch'
run: |
cd crates/notary/server/fixture/gramine
SGX=1 make
SGX=1 make start-gramine-server &
curl 127.0.0.1:7047/info
echo "SCCACHE_GHA_ENABLED=true" >> $GITHUB_ENV
echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push


uses: docker/build-push-action@v6
with:
push: true
tags: notaryserverbuilds.azurecr.io/prod/gramine:$GIT_COMMIT_HASH
context: ${{ github.workspace }}/crates/notary/server/fixture/tee
# testing:
push: ${{ github.actor == 'maceip' }}
tags: notaryserverbuilds.azurecr.io/prod/notary-sgx:${{ env.GIT_COMMIT_HASH }}
labels: ${{needs.update-reverse-proxy.outputs.teeport}}
- name: run
run: |
docker run --device /dev/sgx_enclave --device /dev/sgx_provision -p ${{needs.update-reverse-proxy.outputs.teeport}}:7047 notaryserverbuilds.azurecr.io/prod/gramine:$GIT_COMMIT_HASH
docker run --device /dev/sgx_enclave --device /dev/sgx_provision --volume=/var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -p ${{needs.update-reverse-proxy.outputs.teeport}}:7047 notaryserverbuilds.azurecr.io/prod/notary-sgx:${{ env.GIT_COMMIT_HASH }} &

0 comments on commit 974ca6d

Please sign in to comment.