From 41a4804890f729d16e5b6974ba54c0d4df4b2e1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Wei=C3=9Fe?= Date: Thu, 20 Jun 2024 16:41:07 +0200 Subject: [PATCH] generate: add flag for aks reference values The manifest will be generated with invalid null values when the flag is not specified which must be filled out by the user. --- cli/cmd/generate.go | 13 +++++++++++ .../internal/authority/authority_test.go | 2 +- e2e/internal/contrasttest/contrasttest.go | 7 +++++- internal/manifest/constants.go | 22 ++++++++++++------- justfile | 1 + 5 files changed, 35 insertions(+), 10 deletions(-) diff --git a/cli/cmd/generate.go b/cli/cmd/generate.go index e4b3723665..26959a27b9 100644 --- a/cli/cmd/generate.go +++ b/cli/cmd/generate.go @@ -63,6 +63,7 @@ subcommands.`, cmd.Flags().StringP("policy", "p", rulesFilename, "path to policy (.rego) file") cmd.Flags().StringP("settings", "s", settingsFilename, "path to settings (.json) file") cmd.Flags().StringP("manifest", "m", manifestFilename, "path to manifest (.json) file") + cmd.Flags().String("reference-values", "", "set the default reference values used for attestation (one of: aks)") cmd.Flags().StringArrayP("workload-owner-key", "w", []string{workloadOwnerPEM}, "path to workload owner key (.pem) file") cmd.Flags().BoolP("disable-updates", "d", false, "prevent further updates of the manifest") cmd.Flags().String("image-replacements", "", "path to image replacements file") @@ -115,6 +116,9 @@ func runGenerate(cmd *cobra.Command, args []string) error { } defaultManifest := manifest.Default() + if flags.referenceValues == "aks" { + defaultManifest = manifest.DefaultAKS() + } defaultManifestData, err := json.MarshalIndent(&defaultManifest, "", " ") if err != nil { return fmt.Errorf("marshaling default manifest: %w", err) @@ -445,6 +449,7 @@ type generateFlags struct { policyPath string settingsPath string manifestPath string + referenceValues string workloadOwnerKeys []string disableUpdates bool workspaceDir string @@ -465,6 +470,13 @@ func parseGenerateFlags(cmd *cobra.Command) (*generateFlags, error) { if err != nil { return nil, err } + referenceValues, err := cmd.Flags().GetString("reference-values") + if err != nil { + return nil, err + } + if !slices.Contains([]string{"", "aks"}, referenceValues) { + return nil, fmt.Errorf("unknown reference values") + } workloadOwnerKeys, err := cmd.Flags().GetStringArray("workload-owner-key") if err != nil { return nil, err @@ -507,6 +519,7 @@ func parseGenerateFlags(cmd *cobra.Command) (*generateFlags, error) { policyPath: policyPath, settingsPath: settingsPath, manifestPath: manifestPath, + referenceValues: referenceValues, workloadOwnerKeys: workloadOwnerKeys, disableUpdates: disableUpdates, workspaceDir: workspaceDir, diff --git a/coordinator/internal/authority/authority_test.go b/coordinator/internal/authority/authority_test.go index 445eaab1ca..ba29ab593a 100644 --- a/coordinator/internal/authority/authority_test.go +++ b/coordinator/internal/authority/authority_test.go @@ -92,7 +92,7 @@ func newManifest(t *testing.T) (*manifest.Manifest, []byte, [][]byte) { policyHash := sha256.Sum256(policy) policyHashHex := manifest.NewHexString(policyHash[:]) - mnfst := manifest.Default() + mnfst := manifest.DefaultAKS() mnfst.Policies = map[manifest.HexString][]string{policyHashHex: {"test"}} mnfst.WorkloadOwnerKeyDigests = []manifest.HexString{keyDigest} mnfstBytes, err := json.Marshal(mnfst) diff --git a/e2e/internal/contrasttest/contrasttest.go b/e2e/internal/contrasttest/contrasttest.go index 630891ac4e..9209a7812e 100644 --- a/e2e/internal/contrasttest/contrasttest.go +++ b/e2e/internal/contrasttest/contrasttest.go @@ -133,7 +133,12 @@ func (ct *ContrastTest) Init(t *testing.T, resources []any) { func (ct *ContrastTest) Generate(t *testing.T) { require := require.New(t) - args := append(ct.commonArgs(), "--image-replacements", ct.ImageReplacementsFile, path.Join(ct.WorkDir, "resources.yaml")) + args := append( + ct.commonArgs(), + "--image-replacements", ct.ImageReplacementsFile, + "--reference-values", "aks", + path.Join(ct.WorkDir, "resources.yaml"), + ) generate := cmd.NewGenerateCmd() generate.Flags().String("workspace-dir", "", "") // Make generate aware of root flags diff --git a/internal/manifest/constants.go b/internal/manifest/constants.go index 258d36f69f..79497a7fa8 100644 --- a/internal/manifest/constants.go +++ b/internal/manifest/constants.go @@ -10,19 +10,25 @@ var trustedMeasurement = "000000000000000000000000000000000000000000000000000000 func Default() Manifest { return Manifest{ ReferenceValues: ReferenceValues{ - SNP: SNPReferenceValues{ - MinimumTCB: SNPTCB{ - BootloaderVersion: toPtr(SVN(3)), - TEEVersion: toPtr(SVN(0)), - SNPVersion: toPtr(SVN(8)), - MicrocodeVersion: toPtr(SVN(115)), - }, - }, TrustedMeasurement: HexString(trustedMeasurement), }, } } +// DefaultAKS returns a default manifest with AKS reference values. +func DefaultAKS() Manifest { + mnfst := Default() + mnfst.ReferenceValues.SNP = SNPReferenceValues{ + MinimumTCB: SNPTCB{ + BootloaderVersion: toPtr(SVN(3)), + TEEVersion: toPtr(SVN(0)), + SNPVersion: toPtr(SVN(8)), + MicrocodeVersion: toPtr(SVN(115)), + }, + } + return mnfst +} + func toPtr[T any](t T) *T { return &t } diff --git a/justfile b/justfile index 7e229472f7..1dd2c6913f 100644 --- a/justfile +++ b/justfile @@ -79,6 +79,7 @@ generate cli=default_cli: nix run .#{{ cli }} -- generate \ --workspace-dir ./{{ workspace_dir }} \ --image-replacements ./{{ workspace_dir }}/just.containerlookup \ + --reference-values aks \ ./{{ workspace_dir }}/deployment/*.yml duration=$(( $(date +%s) - $t )) echo "Generated policies in $duration seconds."