fix policy generation by using genpolicy new release (#42)

* fix policy generation by using genpolicy new release

Author: stevendongatmsft

.github/workflows/_deploy_kafka_test.yml

@@ -88,6 +88,33 @@ jobs:
         run: | 
           az aks get-credentials --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP  --overwrite-existing
           cd main/kafka
+
+          sudo cat /root/.docker/config.json 
+          sudo mv ~/.docker/config.json /root/.docker/config.json
+          echo "docker config.json looks like the following: "
+          sudo cat /root/.docker/config.json
+          curl -LO https://github.com/microsoft/kata-containers/releases/download/3.2.0.azl1.genpolicy0/genpolicy --fail-with-body
+          curl -LO https://github.com/microsoft/kata-containers/releases/download/3.2.0.azl1.genpolicy0/genpolicy-settings.json --fail-with-body
+          curl -LO https://github.com/microsoft/kata-containers/releases/download/3.2.0.azl1.genpolicy0/rules.rego --fail-with-body
+          chmod +x genpolicy
+          chmod +x genpolicy-settings.json
+          chmod +x rules.rego
+          echo "Containerd Status"
+          systemctl status containerd
+          echo "Check toml File Status" 
+          sudo cat /etc/containerd/config.toml
+          echo "Repalce toml File Content"
+          sudo sed -i 's/disabled_plugins = \["cri"\]/disabled_plugins = \[\]/' /etc/containerd/config.toml
+          echo "Check toml File Status Again" 
+          sudo cat /etc/containerd/config.toml
+          echo "Restart Containerd"
+          sudo systemctl restart containerd
+          echo "Sleep for 60 Seconds"
+          sleep 60
+          echo "Check to see whether containerd is running"
+          sudo systemctl is-active containerd
+
+
           chmod +x test-setup.sh
           randomid=$(openssl rand -hex 8 | tr -d '\n')  
           export SkrClientKID=kafka-demo-pipeline-${randomid}

.github/workflows/kafka_demo_test.yml

@@ -20,19 +20,20 @@ on:
         options: 
           - mcr.microsoft.com
           - confidentialsidecars.azurecr.io
+          - accsamplesmcr.azurecr.io
       key-release-image:
         description: "The image of the SKR sidecar to use"
         required: true
         default: "aci/skr:2.7"
         type: string
       consumer-image: 
         description: "Consumer Image"
-        default: "mcr.microsoft.com/acc/samples/kafka/consumer:2.0"
+        default: "public/acc/samples/kafka/consumer:2.0"
         required: true
         type: string
       producer-image: 
         description: "Producer Image"
-        default: "mcr.microsoft.com/acc/samples/kafka/producer:2.0"
+        default: "public/acc/samples/kafka/consumer:2.0"
         required: true
         type: string
   merge_group:
@@ -130,7 +131,7 @@ jobs:
 
   cleanup: 
     name: Clean Up
-    if: always() && needs.create-aks-cluster.result == 'success' && (needs.push_images.result == 'success' || needs.push_images.result == 'skipped')
+    if: always() && needs.create-aks-cluster.result == 'success' && needs.push_images.result == 'success'
     uses: ./.github/workflows/_cleanup.yml
     needs: [push_images, create-aks-cluster, deploy-kafka-test, test-workload]
     secrets: inherit

kafka/test-setup.sh

@@ -52,7 +52,9 @@ sed -i 's/$EVENTHUB_NAMESPACE/'"$EVENTHUB_NAMESPACE"'/g; s/$EVENTHUB/'"$EVENTHUB
 echo "Generating Security Policy for consumer"
 
 
-export WORKLOAD_MEASUREMENT=$(az confcom katapolicygen -y consumer/consumer.yaml --print-policy | base64 --decode | sha256sum | cut -d' ' -f1)
+#export WORKLOAD_MEASUREMENT=$(az confcom katapolicygen -y consumer/consumer.yaml --print-policy | base64 --decode | sha256sum | cut -d' ' -f1)
+# This is a workaround before confcom extension picks up the Genpolicy new release where it introduces the -d flag
+export WORKLOAD_MEASUREMENT=$(sudo $(pwd)/genpolicy -y consumer/consumer.yaml -p $(pwd)/rules.rego -j $(pwd)/genpolicy-settings.json -d --raw-out | sha256sum | cut -d' ' -f1)
 cat consumer/consumer.yaml
 if [[ -z "${WORKLOAD_MEASUREMENT}" ]]; then
 	echo "Warning: Env WORKLOAD_MEASUREMENT is not set. Set this to condition releasing your key on your security policy matching the expected value.  Recommended for production workloads."