Add Azure AKS job

mcollins-ttd · mcollins-ttd · commit 99c4f90c15aa · 2025-03-13T13:17:06.000+11:00
diff --git a/.github/workflows/publish-all-operators.yaml b/.github/workflows/publish-all-operators.yaml
@@ -169,12 +169,18 @@ jobs:
           pattern: gcp-oidc-enclave-ids-*
           path: ./manifests/gcp_oidc_operator
 
-      - name: Download Azure manifest
+      - name: Download Azure CC manifest
         uses: actions/download-artifact@v4
         with:
           pattern: azure-cc-enclave-id-*
           path: ./manifests/azure_cc_operator
 
+      - name: Download Azure AKS manifest
+        uses: actions/download-artifact@v4
+        with:
+          pattern: azure-aks-enclave-id-*
+          path: ./manifests/azure_aks_operator
+
       - name: Download EIF manifest
         uses: actions/download-artifact@v4
         with:
@@ -217,6 +223,7 @@ jobs:
           (cd ./deployment/aws-euid-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../aws-euid-deployment-files-${{ needs.start.outputs.new_version }}.zip . )
           (cd ./deployment/aws-uid2-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../aws-uid2-deployment-files-${{ needs.start.outputs.new_version }}.zip . )
           (cd ./deployment/azure-cc-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../azure-cc-deployment-files-${{ needs.start.outputs.new_version }}.zip . )
+          (cd ./deployment/azure-aks-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../azure-aks-deployment-files-${{ needs.start.outputs.new_version }}.zip . )
           (cd ./deployment/gcp-oidc-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../gcp-oidc-deployment-files-${{ needs.start.outputs.new_version }}.zip . )
           (cd manifests && zip -r ../uid2-operator-release-manifests-${{ needs.start.outputs.new_version }}.zip .)
 
@@ -230,6 +237,7 @@ jobs:
               ./aws-euid-deployment-files-${{ needs.start.outputs.new_version }}.zip
               ./aws-uid2-deployment-files-${{ needs.start.outputs.new_version }}.zip
               ./azure-cc-deployment-files-${{ needs.start.outputs.new_version }}.zip
+              ./azure-aks-deployment-files-${{ needs.start.outputs.new_version }}.zip
               ./gcp-oidc-deployment-files-${{ needs.start.outputs.new_version }}.zip
               ./uid2-operator-release-manifests-${{ needs.start.outputs.new_version }}.zip
   notifyFailure:
diff --git a/.github/workflows/publish-azure-cc-enclave-docker.yaml b/.github/workflows/publish-azure-cc-enclave-docker.yaml
@@ -163,7 +163,7 @@ jobs:
             IMAGE_VERSION=${{ steps.update_version.outputs.new_version }}
 
   azureCc:
-    name: Azure CC
+    name: Create Azure CC artifacts
     runs-on: ubuntu-latest
     permissions: {}
     needs: buildImage
@@ -201,11 +201,59 @@ jobs:
           path: ${{ env.MANIFEST_OUTPUT_DIR }}
           if-no-files-found: error
 
-  e2e:
-    name: E2E
+  e2eAzureCc:
+    name: E2E Azure CC
     uses: ./.github/workflows/run-e2e-tests-on-operator.yaml
     needs: [buildImage, azureCc]
     with:
       operator_type: azure
       operator_image_version: ${{ needs.buildImage.outputs.image_tag }}
     secrets: inherit
+
+  azureAks:
+    name: Create Azure AKS artifacts
+    runs-on: ubuntu-latest
+    permissions: {}
+    needs: buildImage
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Azure CLI
+        uses: ./.github/actions/install_az_cli
+
+      - name: check azure-cli version
+        run: |
+          az --version
+
+      - name: Generate Azure deployment artifacts
+        env:
+          IMAGE: ${{ needs.buildImage.outputs.tags }}
+          OUTPUT_DIR: ${{ env.ARTIFACTS_OUTPUT_DIR }}
+          MANIFEST_DIR: ${{ env.MANIFEST_OUTPUT_DIR }}
+          VERSION_NUMBER: ${{ needs.buildImage.outputs.jar_version }}
+        run: |
+          bash ./scripts/azure-aks/deployment/generate-deployment-artifacts.sh
+
+      - name: Upload deployment artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: azure-aks-deployment-files-${{ needs.buildImage.outputs.jar_version }}
+          path: ${{ env.ARTIFACTS_OUTPUT_DIR }}
+          if-no-files-found: error
+
+      - name: Upload manifest
+        uses: actions/upload-artifact@v4
+        with:
+          name: azure-aks-enclave-id-${{ needs.buildImage.outputs.jar_version }}
+          path: ${{ env.MANIFEST_OUTPUT_DIR }}
+          if-no-files-found: error
+
+  e2eAzureAks:
+    name: E2E Azure AKS
+    uses: ./.github/workflows/run-e2e-tests-on-operator.yaml
+    needs: [buildImage, azureAks]
+    with:
+      operator_type: aks
+      operator_image_version: ${{ needs.buildImage.outputs.image_tag }}
+    secrets: inherit
diff --git a/scripts/azure-aks/deployment/generate-deployment-artifacts.sh b/scripts/azure-aks/deployment/generate-deployment-artifacts.sh
@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+set -x
+
+# Following environment variables must be set
+# - IMAGE: uid2-operator image
+# - OUTPUT_DIR: output directory to store the artifacts
+# - MANIFEST_DIR: output directory to store the manifest for the enclave Id
+# - VERSION_NUMBER: the version number of the build
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+INPUT_DIR=${SCRIPT_DIR}
+
+if [[ -z ${IMAGE} ]]; then
+  echo "IMAGE cannot be empty"
+  exit 1
+fi
+IMAGE_VERSION=$(echo $IMAGE | awk -F':' '{print $2}')
+if [[ -z ${IMAGE_VERSION} ]]; then
+  echo "Failed to extract image version from ${IMAGE}"
+  exit 1
+fi
+
+if [[ -z ${OUTPUT_DIR} ]]; then
+  echo "OUTPUT_DIR cannot be empty"
+  exit 1
+fi
+
+mkdir -p ${OUTPUT_DIR}
+if [[ $? -ne 0 ]]; then
+  echo "Failed to create ${OUTPUT_DIR}"
+  exit 1
+fi
+
+mkdir -p ${MANIFEST_DIR}
+if [[ $? -ne 0 ]]; then
+  echo "Failed to create ${MANIFEST_DIR}"
+  exit 1
+fi
+
+# Input files
+INPUT_FILES=(
+    operator.yaml
+)
+
+# Copy input files to output dir
+for f in ${INPUT_FILES[@]}; do
+    cp ${INPUT_DIR}/${f} ${OUTPUT_DIR}/${f}
+    if [[ $? -ne 0 ]]; then
+        echo "Failed to copy ${INPUT_DIR}/${f} to ${OUTPUT_DIR}"
+        exit 1
+    fi
+done
+
+az version
+# Install confcom extension, az is originally available in GitHub workflow environment
+az extension add --name confcom
+if [[ $? -ne 0 ]]; then
+  echo "Failed to install Azure confcom extension"
+  exit 1
+fi
+
+# Required by az confcom
+sudo usermod -aG docker ${USER}
+if [[ $? -ne 0 ]]; then
+  echo "Failed to add current user to docker group"
+  exit 1
+fi
+
+# Generate operator template
+sed -i "s#IMAGE_PLACEHOLDER#${IMAGE}#g" ${OUTPUT_DIR}/operator.yaml
+# && \
+#   sed -i "s#IMAGE_VERSION_PLACEHOLDER#${IMAGE_VERSION}#g" ${OUTPUT_DIR}/operator.yaml
+if [[ $? -ne 0 ]]; then
+  echo "Failed to pre-process operator template file"
+  exit 1
+fi
+
+# Export the policy, update it to turn off allow_environment_variable_dropping, and then insert it into the template
+# note that the EnclaveId is generated by generate.py on the raw policy, not the base64 version
+POLICY_DIGEST_FILE=azure-aks-operator-digest-$VERSION_NUMBER.txt
+az confcom acipolicygen --virtual-node-yaml ${OUTPUT_DIR}/operator.yaml --print-policy > ${INPUT_DIR}/policy.base64
+if [[ $? -ne 0 ]]; then
+  echo "Failed to generate ACI policy"
+  exit 1
+fi
+
+base64 -di < ${INPUT_DIR}/policy.base64 > ${INPUT_DIR}/generated.rego
+sed -i "s#allow_environment_variable_dropping := true#allow_environment_variable_dropping := false#g" ${INPUT_DIR}/generated.rego
+sed -i 's#{"pattern":"DEPLOYMENT_ENVIRONMENT=DEPLOYMENT_ENVIRONMENT_PLACEHOLDER","required":false,"strategy":"string"}#{"pattern":"DEPLOYMENT_ENVIRONMENT=.+","required":false,"strategy":"re2"}#g' generated.rego
+sed -i 's#{"pattern":"VAULT_NAME=VAULT_NAME_PLACEHOLDER","required":false,"strategy":"string"}#{"pattern":"VAULT_NAME=.+","required":false,"strategy":"re2"}#g' generated.rego
+sed -i 's#{"pattern":"OPERATOR_KEY_SECRET_NAME=OPERATOR_KEY_SECRET_NAME_PLACEHOLDER","required":false,"strategy":"string"}#{"pattern":"OPERATOR_KEY_SECRET_NAME=.+","required":false,"strategy":"re2"}#g' generated.rego
+base64 -w0 < ${INPUT_DIR}/generated.rego > ${INPUT_DIR}/generated.rego.base64
+python3 ${SCRIPT_DIR}/generate.py ${INPUT_DIR}/generated.rego > ${MANIFEST_DIR}/${POLICY_DIGEST_FILE}
+
+sed -i "s#CCE_POLICY_PLACEHOLDER#$(cat ${INPUT_DIR}/generated.rego.base64)#g" ${OUTPUT_DIR}/operator.yaml
diff --git a/scripts/azure-aks/deployment/generate.py b/scripts/azure-aks/deployment/generate.py
@@ -0,0 +1,20 @@
+import sys
+from hashlib import sha256
+
+def str_to_sha256(x: str) -> str:
+    return sha256(x.encode('utf-8')).hexdigest()
+
+def print_data_sha256(data: str) -> str:
+    print(str_to_sha256(data))
+
+def print_data_sha256_stripped(data: str) -> str:
+    print(str_to_sha256(data.strip()))
+
+def main():
+    with open(sys.argv[1], 'r') as file:
+        data = file.read()
+
+    print_data_sha256(data)
+
+if __name__ == '__main__':
+    main()
diff --git a/scripts/azure-aks/deployment/operator.yaml b/scripts/azure-aks/deployment/operator.yaml
@@ -0,0 +1,91 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: operator-deployment 
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: operator 
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: operator
+      annotations:
+        microsoft.containerinstance.virtualnode.ccepolicy: CCE_POLICY_PLACEHOLDER
+        microsoft.containerinstance.virtualnode.identity: IDENTITY_PLACEHOLDER
+        microsoft.containerinstance.virtualnode.injectdns: "false"
+    spec:
+      containers:
+        - image: "mcr.microsoft.com/aci/skr:2.7"
+          imagePullPolicy: Always
+          name: skr
+          resources:
+            limits:
+              cpu: 2250m
+              memory: 2256Mi
+            requests:
+              cpu: 100m
+              memory: 512Mi
+          env:
+            - name: Port
+              value: "9000"
+          volumeMounts:
+            - mountPath: /opt/confidential-containers/share/kata-containers/reference-info-base64
+              name: endorsement-location
+          command:
+            - /skr.sh
+        - name: uid2-operator
+          image: IMAGE_PLACEHOLDER
+          resources:
+            limits:
+              memory: "8Gi"
+          imagePullPolicy: Always
+          securityContext:
+            runAsUser: 1000
+          env:
+            - name: VAULT_NAME
+              value: VAULT_NAME_PLACEHOLDER
+            - name: OPERATOR_KEY_SECRET_NAME
+              value: OPERATOR_KEY_SECRET_NAME_PLACEHOLDER
+            - name: DEPLOYMENT_ENVIRONMENT
+              value: DEPLOYMENT_ENVIRONMENT_PLACEHOLDER
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+            - name: prometheus
+              containerPort: 9080
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /ops/healthcheck
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+      volumes:
+        - name: endorsement-location
+          hostPath:
+            path: /opt/confidential-containers/share/kata-containers/reference-info-base64
+      nodeSelector:
+        virtualization: virtualnode2
+      tolerations:
+      - effect: NoSchedule
+        key: virtual-kubelet.io/provider
+        operator: Exists
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: operator-svc
+spec:
+  type: LoadBalancer
+  selector:
+    app.kubernetes.io/name: operator
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8080
