Skip to content

Commit

Permalink
update image; build hash for kaniko
Browse files Browse the repository at this point in the history
  • Loading branch information
salrashid123 committed May 9, 2023
1 parent 40c992e commit a0284c1
Show file tree
Hide file tree
Showing 15 changed files with 210 additions and 123 deletions.
254 changes: 172 additions & 82 deletions README.md

Large diffs are not rendered by default.

27 changes: 18 additions & 9 deletions app/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
load("@io_bazel_rules_docker//go:image.bzl", "go_image")
load("@io_bazel_rules_docker//container:container.bzl", "container_image")
load("@bazel_gazelle//:def.bzl", "gazelle")
load("@bazel_tools//tools/build_defs/pkg:pkg.bzl", "pkg_tar")

gazelle(name = "gazelle")

Expand All @@ -16,6 +17,22 @@ go_binary(
goarch = "amd64",
)

pkg_tar(
name = "certs_bundle",
srcs = [
"//certs:root-ca-operator.crt",
"//certs:tee-operator.crt",
"//certs:tee-operator.key",
"//certs:root-ca-collaborator1.crt",
"//certs:tee-collaborator1.crt",
"//certs:tee-collaborator1.key",
"//certs:root-ca-collaborator2.crt",
"//certs:tee-collaborator2.crt",
"//certs:tee-collaborator2.key",
],
package_dir = "/certs",
)

container_image(
name = "server",
base = "@distroless_base//image",
Expand All @@ -28,16 +45,8 @@ container_image(
files = [
":main",
":config.json",
"//certs:root-ca-operator.crt",
"//certs:tee-operator.crt",
"//certs:tee-operator.key",
"//certs:root-ca-collaborator1.crt",
"//certs:tee-collaborator1.crt",
"//certs:tee-collaborator1.key",
"//certs:root-ca-collaborator2.crt",
"//certs:tee-collaborator2.crt",
"//certs:tee-collaborator2.key",
],
tars = [":certs_bundle"],
ports = ["8081"],
repository = "us-central1-docker.pkg.dev/builder-project/repo1/tee",
)
Expand Down
30 changes: 9 additions & 21 deletions app/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,36 +1,24 @@
# go1.19.8 linux/amd64
FROM docker.io/golang@sha256:9f2dd04486e84eec72d945b077d568976981d9afed8b4e2aeb08f7ab739292b3 as build

WORKDIR /go/src/app
COPY . .

RUN go mod download
RUN go vet -v
RUN go test -v
RUN GOOS=linux GOARCH=amd64 go build -buildvcs=false -o /go/bin/server

RUN GOOS=linux GOARCH=amd64 go build -o /go/bin/server
RUN chown root:root /go/bin/server && \
chown -R root:root /go/src/app

FROM gcr.io/distroless/base@sha256:75f63d4edd703030d4312dc7528a349ca34d48bec7bd754652b2d47e5a0b7873
# base-debian11-root
FROM gcr.io/distroless/base-debian11@sha256:df13a91fd415eb192a75e2ef7eacf3bb5877bb05ce93064b91b83feef5431f37

LABEL "tee.launch_policy.allow_cmd_override"="false"
LABEL "tee.launch_policy.log_redirect"="always"

COPY --from=build /go/bin/server /
COPY --from=build /go/bin/server /server
COPY --from=build /go/src/app/config.json /config.json

COPY --from=build /go/src/app/certs/root-ca-operator.crt /root-ca-operator.crt
COPY --from=build /go/src/app/certs/tee-operator.crt /tee-operator.crt
COPY --from=build /go/src/app/certs/tee-operator.key /tee-operator.key

COPY --from=build /go/src/app/certs/root-ca-collaborator1.crt /root-ca-collaborator1.crt
COPY --from=build /go/src/app/certs/tee-collaborator1.crt /tee-collaborator1.crt
COPY --from=build /go/src/app/certs/tee-collaborator1.key /tee-collaborator1.key

COPY --from=build /go/src/app/certs/root-ca-collaborator2.crt /root-ca-collaborator2.crt
COPY --from=build /go/src/app/certs/tee-collaborator2.crt /tee-collaborator2.crt
COPY --from=build /go/src/app/certs/tee-collaborator2.key /tee-collaborator2.key
COPY --from=build /go/src/app/certs /certs

EXPOSE 8081

ENTRYPOINT ["/server"]

ENTRYPOINT ["./server"]
CMD []
3 changes: 2 additions & 1 deletion app/cloudbuild_bazel.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
steps:

# bazel 5.3.1
- name: gcr.io/cloud-builders/bazel@sha256:f00a985c3196cc58819b6f7e8e40353273bc20e8f24b54d9c92d5279bb5b3fad
id: build
args: ['run', '--platforms=@io_bazel_rules_go//go/toolchain:linux_amd64', ':server']
Expand All @@ -12,7 +13,7 @@ steps:
- |
gcloud auth print-access-token > /workspace/token
- name: quay.io/containers/skopeo@sha256:2f90e4c091a45cf0f92916642a97227531c4242ea18979b16359966ca358ec63
- name: quay.io/containers/skopeo@sha256:282ec8da6e903232320f5ef8bb3bd88bf26872d569cfa79f5cb8faa5f0368a30
id: push
entrypoint: '/bin/bash'
args:
Expand Down
1 change: 0 additions & 1 deletion app/cloudbuild_kaniko.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -131,4 +131,3 @@ steps:
serviceAccount: 'projects/$PROJECT_ID/serviceAccounts/cosign@$PROJECT_ID.iam.gserviceaccount.com'
options:
logging: CLOUD_LOGGING_ONLY
machineType: 'N1_HIGHCPU_32'
18 changes: 9 additions & 9 deletions app/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,18 +42,18 @@ var (
project_id = flag.String("project_id", "", "ProjectID for pubsub subscription and logging")

// for mtls certificates
default_ca = flag.String("default_ca", "root-ca-operator.crt", "Operator RootCA Chain (PEM)")
default_tls_crt = flag.String("default_tls_crt", "tee-operator.crt", "Operator TLS Certificate (PEM)")
default_tls_key = flag.String("default_tls_key", "tee-operator.key", "Operator TLS KEY (PEM)")
default_ca = flag.String("default_ca", "certs/root-ca-operator.crt", "Operator RootCA Chain (PEM)")
default_tls_crt = flag.String("default_tls_crt", "certs/tee-operator.crt", "Operator TLS Certificate (PEM)")
default_tls_key = flag.String("default_tls_key", "certs/tee-operator.key", "Operator TLS KEY (PEM)")

// collaborator mtls certs and keys materialized within the TEE
collaborator1_ca = flag.String("collaborator1_ca", "root-ca-collaborator1.crt", "Collaborator 1 RootCA Chain (PEM)")
collaborator1_tls_crt = flag.String("collaborator1_tls_crt", "tee-collaborator1.crt", "Collaborator 1 TLS Certificate (PEM)")
collaborator1_tls_key = flag.String("collaborator1_tls_key", "tee-collaborator1.key", "Collaborator 1 TLS KEY (PEM)")
collaborator1_ca = flag.String("collaborator1_ca", "certs/root-ca-collaborator1.crt", "Collaborator 1 RootCA Chain (PEM)")
collaborator1_tls_crt = flag.String("collaborator1_tls_crt", "certs/tee-collaborator1.crt", "Collaborator 1 TLS Certificate (PEM)")
collaborator1_tls_key = flag.String("collaborator1_tls_key", "certs/tee-collaborator1.key", "Collaborator 1 TLS KEY (PEM)")

collaborator2_ca = flag.String("collaborator2_ca", "root-ca-collaborator2.crt", "Collaborator 2 RootCA Chain (PEM)")
collaborator2_tls_crt = flag.String("collaborator2_tls_crt", "tee-collaborator2.crt", "Collaborator 2 TLS Certificate (PEM)")
collaborator2_tls_key = flag.String("collaborator2_tls_key", "tee-collaborator2.key", "Collaborator 2 TLS KEY (PEM)")
collaborator2_ca = flag.String("collaborator2_ca", "certs/root-ca-collaborator2.crt", "Collaborator 2 RootCA Chain (PEM)")
collaborator2_tls_crt = flag.String("collaborator2_tls_crt", "certs/tee-collaborator2.crt", "Collaborator 2 TLS Certificate (PEM)")
collaborator2_tls_key = flag.String("collaborator2_tls_key", "certs/tee-collaborator2.key", "Collaborator 2 TLS KEY (PEM)")

// map to hold all the users currently found and the number of times
// they've been sent
Expand Down
Binary file modified images/artifacts.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified images/build_hash.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified images/cc_logs.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified images/cc_startup.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified images/cloud_logging.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified images/conf_space.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified images/kms.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified images/launch_spec.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified images/sts.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit a0284c1

Please sign in to comment.