Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

genpolicy: allow contrast env vars for coordinator #587

Merged
merged 2 commits into from
Jun 17, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 0 additions & 17 deletions docs/docs/troubleshooting.md
Original file line number Diff line number Diff line change
@@ -50,23 +50,6 @@ spec: # v1.PodSpec
# ...
```

After changing the Coordinator configuration you have to regenerate the policies
for the `coordinator.yml` file.

```sh
contrast generate coordinator.yml
```

:::info

When updating the Coordinator policy, the policy hash is stored in the
`coordinator-policy.sha256` file. This hash needs to be passed to every
subsequent call to `contrast set` and `contrast verify` using the
`--coordinator-policy-hash` flag, as the hash now differs from the one embedded
into the CLI.

:::

To access the logs generated by the Coordinator, you can use `kubectl` with the
following command.

Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
diff --git a/genpolicy-settings.json b/genpolicy-settings.json
index 7d35862a..4eacc7cd 100644
--- a/genpolicy-settings.json
+++ b/genpolicy-settings.json
@@ -307,7 +307,8 @@
"^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$",
"^AZURE_TENANT_ID=[A-Fa-f0-9-]*$",
"^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
- "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$"
+ "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
+ "^CONTRAST_[A-Z0-9_]*=.*$"
]
},
"CopyFileRequest": [
@@ -322,4 +323,4 @@
"UpdateEphemeralMountsRequest": false,
"WriteStreamRequest": false
}
-}
\ No newline at end of file
+}
Original file line number Diff line number Diff line change
@@ -1,8 +1,18 @@
diff --git a/genpolicy-settings.json b/genpolicy-settings.json
index 7d35862..536c10e 100644
index 7d35862a..f469b201 100644
--- a/genpolicy-settings.json
+++ b/genpolicy-settings.json
@@ -315,11 +315,13 @@
@@ -307,7 +307,8 @@
"^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$",
"^AZURE_TENANT_ID=[A-Fa-f0-9-]*$",
"^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
- "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$"
+ "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
+ "^CONTRAST_[A-Z0-9_]*=.*$"
]
},
"CopyFileRequest": [
@@ -315,11 +316,13 @@
],
"ExecProcessRequest": {
"commands": [],
5 changes: 5 additions & 0 deletions packages/by-name/microsoft/genpolicy/package.nix
Original file line number Diff line number Diff line change
@@ -74,6 +74,11 @@ rustPlatform.buildRustPackage rec {
'';
};

settings-coordinator = applyPatches {
src = settings;
patches = [ ./genpolicy_msft_settings_coordinator.patch ];
};

# Settings that allow exec into CVM pods - not safe for production use!
settings-dev = applyPatches {
src = settings;
2 changes: 1 addition & 1 deletion packages/scripts.nix
Original file line number Diff line number Diff line change
@@ -168,7 +168,7 @@

pushd "$tmpdir" >/dev/null
cp ${pkgs.microsoft.genpolicy.rules-coordinator}/genpolicy-rules.rego rules.rego
cp ${pkgs.microsoft.genpolicy.settings}/genpolicy-settings.json .
cp ${pkgs.microsoft.genpolicy.settings-coordinator}/genpolicy-settings.json .
genpolicy < "$tmpdir/coordinator_base.yml"
popd >/dev/null
'';