genpolicy: allow contrast env vars for coordinator

edgelesssys · Jun 17, 2024 · 3327113 · 3327113
1 parent 34969c9
commit 3327113
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 3 deletions.
diff --git a/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_coordinator.patch b/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_coordinator.patch
@@ -0,0 +1,21 @@
+diff --git a/genpolicy-settings.json b/genpolicy-settings.json
+index 7d35862a..4eacc7cd 100644
+--- a/genpolicy-settings.json
++++ b/genpolicy-settings.json
+@@ -307,7 +307,8 @@
+                 "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$",
+                 "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$",
+                 "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
+-                "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$"
++                "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
++                "^CONTRAST_[A-Z0-9_]*=.*$"
+             ]
+         },
+         "CopyFileRequest": [
+@@ -322,4 +323,4 @@
+         "UpdateEphemeralMountsRequest": false,
+         "WriteStreamRequest": false
+     }
+-}
+\ No newline at end of file
++}
diff --git a/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_dev.patch b/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_dev.patch
@@ -1,8 +1,18 @@
 diff --git a/genpolicy-settings.json b/genpolicy-settings.json
-index 7d35862..536c10e 100644
+index 7d35862a..f469b201 100644
 --- a/genpolicy-settings.json
 +++ b/genpolicy-settings.json
-@@ -315,11 +315,13 @@
+@@ -307,7 +307,8 @@
+                 "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$",
+                 "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$",
+                 "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
+-                "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$"
++                "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
++                "^CONTRAST_[A-Z0-9_]*=.*$"
+             ]
+         },
+         "CopyFileRequest": [
+@@ -315,11 +316,13 @@
          ],
          "ExecProcessRequest": {
              "commands": [],

diff --git a/packages/by-name/microsoft/genpolicy/package.nix b/packages/by-name/microsoft/genpolicy/package.nix
@@ -74,6 +74,11 @@ rustPlatform.buildRustPackage rec {
       '';
     };
 
+    settings-coordinator = applyPatches {
+      src = settings;
+      patches = [ ./genpolicy_msft_settings_coordinator.patch ];
+    };
+
     # Settings that allow exec into CVM pods - not safe for production use!
     settings-dev = applyPatches {
       src = settings;

diff --git a/packages/scripts.nix b/packages/scripts.nix
@@ -168,7 +168,7 @@
 
       pushd "$tmpdir" >/dev/null
       cp ${pkgs.microsoft.genpolicy.rules-coordinator}/genpolicy-rules.rego rules.rego
-      cp ${pkgs.microsoft.genpolicy.settings}/genpolicy-settings.json .
+      cp ${pkgs.microsoft.genpolicy.settings-coordinator}/genpolicy-settings.json .
       genpolicy < "$tmpdir/coordinator_base.yml"
       popd >/dev/null
     '';