ci: generate Cosmian KMS VM image (#191)

* add packer and ansible directories

* test kms cosmian-vm

* correct typo

* change resources script location

* adds privileges to packer

* duplicate shell provisioner

* add file management

* pffff

* remove permission management

* correct path error

* add sudo to run script

* redhat package correction

* redhat path correction

* unzip path correction

* add env var in ubuntu script

* test supervisor commands

* Incorporate Cosmian VM build in common KMS CI workflow

* Add test image for KMS Cosmian VM

* add license

* add license

* Fix test image

* Fix permissions in CI

* Set max run duration to 20 days

* Set proper Cosmian VM releases as base image

* Reactivate KMS install script

* Execute script in packer instead of after gcloud instanciation

* Test with script execution in gcloud

* Test with script execution back in packer

* Bump to Cosmian VM 1.1.0-rc2

* Start cosmian_vm_agent service when starting the instance for the test

* Add Nginx setup to enable HTTPS

* Separate Packer instructions depending on distrib

* Put the max run duration to 10 minutes

* Cleanup scripts

* Fix KMS package for RHEL 9

* Apply suggestions from code review

Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>

* ci(gcp): test redhat image

* ci(gcp): GH action name display

* Update KMS install script for Redhat

* Redhat: setup firewall to allow 80 and 443

* Redhat: setup correctly nginx

* Update documentation

* Add env variable that defines the storage of the KMS file in the LUKS

* Deploy KMS conf into the LUKS using cosmian_vm tooling

* Cleanup scripts

* Add release step (disabled for rhel for now) + simplify deleting instance

* Add restart test

* Try to fix reboot

* CI: add timeout for curl request

* fix: last build (#201)

* Add test image for KMS Cosmian VM

* Update documentation

* CI: add timeout for curl request

* ci: last_build replaced by github.com url

* test: with last binaries

* fix: last merge

* fix: copy artifacts from parent folder

* fix: relative paths not working with packer

* fix:  revert blocking bash errors on install_kms_xxx

* fix: provision kms_server file to packer

* fix: kms_server provisioning into packer

* fix: let cosmian_vm build/test/push only on nightly

* feat: add standalone workflow to build/push cosmian_vm images

* fix: delete rhel filter

---------

Co-authored-by: ThibsG <thibsg@pm.me>

* docs(changelog): add new entry for GCP images

* ci: update cloudproof_kms_js branch

---------

Co-authored-by: chokoblitz <remy.francois@cosmian.com>
Co-authored-by: ThibsG <thibsg@pm.me>
Co-authored-by: Thibs <ThibsG@users.noreply.github.com>
Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>
Co-authored-by: Manuthor <manu.coste@gmail.com>

Author: 4 people

.github/workflows/build_all_release.yml

@@ -145,3 +145,16 @@ jobs:
       artifacts: |
         target/x86_64-apple-darwin/release/ckms
         target/x86_64-apple-darwin/release/cosmian_kms_server
+
+  cosmian_vm:
+    needs:
+      - ubuntu-22
+      - rhel9
+    uses: ./.github/workflows/build_and_test_cosmian_vm.yml
+    strategy:
+      matrix:
+        distrib: [ubuntu, rhel]
+    name: ${{ matrix.distrib }} -> GCP KMS Cosmian VM image
+    secrets: inherit
+    with:
+      distrib: ${{ matrix.distrib }}

.github/workflows/build_and_test_cosmian_vm.yml

@@ -0,0 +1,223 @@
+---
+name: Build and Publish VM Image
+
+on:
+  workflow_call:
+    inputs:
+      distrib:
+        required: true
+        type: string
+
+env:
+  GCP_DEV_PROJECT: cosmian-dev
+  GCP_PUBLIC_PROJECT: cosmian-public
+
+jobs:
+  build-kms-cosmian-vm-image:
+    name: Build KMS in Cosmian VM Image for SEV
+    runs-on: ubuntu-22.04
+    outputs:
+      timestamp: ${{ steps.env.outputs.TIMESTAMP }}
+      image_name: ${{ steps.env.outputs.IMAGE_NAME }}
+      ci_instance: ${{ steps.env.outputs.CI_INSTANCE }}
+    permissions:
+      contents: read
+      id-token: write
+    defaults:
+      run:
+        working-directory: ./packer
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: actions/download-artifact@v3
+
+      - name: List artifacts
+        run: |
+          find ..
+
+      - name: Create env variables
+        id: env
+        run: |
+          TIMESTAMP="$(date -u +'%Y%m%d%H%M%S')"
+          echo "TIMESTAMP=$TIMESTAMP" >> "$GITHUB_OUTPUT"
+          echo "IMAGE_NAME=alpha-$TIMESTAMP-cosmian-vm-kms-sev-${{ inputs.distrib }}" >> "$GITHUB_OUTPUT"
+          echo "CI_INSTANCE=gh-ci-cosmian-vm-kms-$TIMESTAMP-${{ inputs.distrib }}" >> "$GITHUB_OUTPUT"
+
+      - name: Setup `packer`
+        uses: hashicorp/setup-packer@main
+
+      - name: Run `packer init`
+        run: packer init -machine-readable gcp-sev-${{ inputs.distrib }}.pkr.hcl
+
+      - name: Install plugins
+        run: |
+          packer plugins install github.com/hashicorp/amazon
+          packer plugins install github.com/hashicorp/googlecompute
+
+      - name: Authenticate to Google Cloud project
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.GOOGLE_COSMIAN_DEV_CREDENTIALS }}
+
+      - name: Build GCP images - main
+        env:
+          TIMESTAMP: ${{ steps.env.outputs.TIMESTAMP }}
+        if: startsWith(github.ref, 'refs/tags/') != true
+        run: |
+          packer build -var "prefix=alpha-$TIMESTAMP" gcp-sev-${{ inputs.distrib }}.pkr.hcl
+
+  test-image:
+    name: Test image
+    runs-on: ubuntu-22.04
+    needs: build-kms-cosmian-vm-image
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: GCP auth
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.GOOGLE_COSMIAN_DEV_CREDENTIALS }}
+
+      - name: Set up Google Cloud SDK
+        uses: google-github-actions/setup-gcloud@v2
+        with:
+          version: latest
+          install_components: beta
+
+      - name: Launch GCP instance
+        id: run-gcp-instance
+        env:
+          IMAGE_NAME: ${{ needs.build-kms-cosmian-vm-image.outputs.image_name }}
+          CI_INSTANCE: ${{ needs.build-kms-cosmian-vm-image.outputs.ci_instance }}
+        run: |
+          gcloud beta compute instances create $CI_INSTANCE --machine-type n2d-standard-2 \
+                                                            --zone europe-west4-a \
+                                                            --min-cpu-platform="AMD Milan" \
+                                                            --confidential-compute-type=SEV_SNP \
+                                                            --maintenance-policy=TERMINATE \
+                                                            --image="$IMAGE_NAME" \
+                                                            --image-project=$GCP_DEV_PROJECT \
+                                                            --project $GCP_DEV_PROJECT \
+                                                            --tags ssh-full,backend,http-server,https-server,cosmian-vm-agent \
+                                                            --metadata-from-file=startup-script=scripts/gcp-start-${{ inputs.distrib }}.sh \
+                                                            --max-run-duration=10m \
+                                                            --instance-termination-action=DELETE
+          IP_ADDR=$(gcloud beta compute instances describe $CI_INSTANCE --format='get(networkInterfaces[0].accessConfigs[0].natIP)' --zone=europe-west4-a)
+          echo "IP_ADDR=${IP_ADDR}" >> "$GITHUB_OUTPUT"
+
+      - name: Download Cosmian VM client
+        run: |
+          wget https://package.cosmian.com/cosmian_vm/1.1.0-rc.1/cosmian_vm
+
+      - name: Change permissions of binaries
+        run: |
+          chmod +x ./cosmian_vm
+
+      - name: Test Cosmian VM Agent on GCP instance
+        env:
+          IP_ADDR: ${{ steps.run-gcp-instance.outputs.IP_ADDR }}
+        run: |
+          echo "Waiting for Cosmian VM agent..."
+          until curl --insecure --output /dev/null --silent --fail https://${IP_ADDR}:5355/ima/ascii; do sleep 3; done
+          echo "[ OK ] Cosmian VM ready"
+          ./cosmian_vm --url https://${IP_ADDR}:5355 --allow-insecure-tls snapshot
+          ./cosmian_vm --url https://${IP_ADDR}:5355 --allow-insecure-tls verify --snapshot ./cosmian_vm.snapshot
+
+      - name: Test KMS conf deployment with Cosmian VM CLI
+        env:
+          IP_ADDR: ${{ steps.run-gcp-instance.outputs.IP_ADDR }}
+        run: |
+          ./cosmian_vm --url https://${IP_ADDR}:5355 --allow-insecure-tls app init -c resources/kms.toml
+
+      - name: Test KMS on the Cosmian VM
+        env:
+          IP_ADDR: ${{ steps.run-gcp-instance.outputs.IP_ADDR }}
+        run: |
+          echo "Checking Cosmian KMS HTTP connection..."
+          curl http://${IP_ADDR}:8080/version
+          echo ""
+          echo "[ OK ] Cosmian KMS HTTP connection"
+          echo "Checking Cosmian KMS HTTPS connection..."
+          curl --insecure https://${IP_ADDR}/version
+          echo ""
+          echo "[ OK ] Cosmian KMS HTTPS connection"
+          echo "Checking Cosmian KMS HTTP to HTTPS redirect connection..."
+          curl --insecure http://${IP_ADDR}/version
+          echo ""
+          echo "[ OK ] Cosmian KMS HTTP to HTTPS redirect connection"
+
+      - name: Restart the Cosmian VM and test again
+        continue-on-error: true
+        env:
+          CI_INSTANCE: ${{ needs.build-kms-cosmian-vm-image.outputs.ci_instance }}
+        run: |
+          sudo apt-get install -y jq moreutils
+          echo "Rebooting instance..."
+          gcloud beta compute instances stop $CI_INSTANCE --zone europe-west4-a --project $GCP_DEV_PROJECT
+          gcloud beta compute instances start $CI_INSTANCE --zone europe-west4-a --project $GCP_DEV_PROJECT
+          IP_ADDR=$(gcloud beta compute instances describe $CI_INSTANCE --format='get(networkInterfaces[0].accessConfigs[0].natIP)' --zone=europe-west4-a)
+          timeout 4m bash -c 'until curl --insecure --output /dev/null --silent --fail https://${IP_ADDR}:5355/ima/ascii; do sleep 3; done'
+          echo "[ OK ] Cosmian VM ready after reboot"
+          RESET_COUNT=$(cat cosmian_vm.snapshot | jq '.tpm_policy.reset_count')
+          NEW_RESET_COUNT=$(expr $RESET_COUNT + 1)
+          jq --arg NEW_RESET_COUNT "$NEW_RESET_COUNT" '.tpm_policy.reset_count = $NEW_RESET_COUNT' cosmian_vm.snapshot > new_cosmian_vm.snapshot
+          jq '.tpm_policy.reset_count |= tonumber' new_cosmian_vm.snapshot | sponge new_cosmian_vm.snapshot
+          ./cosmian_vm --url https://${IP_ADDR}:5355 --allow-insecure-tls verify --snapshot new_cosmian_vm.snapshot
+          echo "[ OK ] Integrity after reboot"
+          echo "Starting the KMS"
+          ./cosmian_vm --url https://${IP_ADDR}:5355 --allow-insecure-tls app restart
+          echo "[ OK ] KMS is started"
+          echo "Checking Cosmian KMS HTTP connection..."
+          curl http://${IP_ADDR}:8080/version
+          echo ""
+          echo "[ OK ] Cosmian KMS HTTP connection"
+          echo "Checking Cosmian KMS HTTPS connection..."
+          curl --insecure https://${IP_ADDR}/version
+          echo ""
+          echo "[ OK ] Cosmian KMS HTTPS connection"
+          echo "Checking Cosmian KMS HTTP to HTTPS redirect connection..."
+          curl --insecure http://${IP_ADDR}/version
+          echo ""
+          echo "[ OK ] Cosmian KMS HTTP to HTTPS redirect connection"
+
+      - name: Delete GCP instance
+        # if: success() || failure()
+        if: success()
+        env:
+          CI_INSTANCE: ${{ needs.build-kms-cosmian-vm-image.outputs.ci_instance }}
+        run: |
+          set +e
+          gcloud beta compute instances delete $CI_INSTANCE --zone europe-west4-a \
+                                                            --project $GCP_DEV_PROJECT
+
+  release-image:
+    name: Release image
+    runs-on: ubuntu-22.04
+    needs: [build-kms-cosmian-vm-image, test-image]
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: GCP auth
+        uses: google-github-actions/auth@v1
+        with:
+          credentials_json: ${{ secrets.GOOGLE_COSMIAN_DEV_CREDENTIALS }}
+
+      - name: Copy image to public project
+        if: startsWith(github.ref, 'refs/tags')
+        env:
+          CI_INSTANCE: ${{ needs.build-kms-cosmian-vm-image.outputs.ci_instance }}
+          IMAGE_NAME: ${{ needs.build-kms-cosmian-vm-image.outputs.image_name }}
+        run: |
+          TAG=${{ github.ref_name }}
+          VERSION=$(echo $TAG | sed 's/\./-/g; s/_/-/g; s/+/-/g')
+          NEW_IMAGE_NAME=cosmian-vm-kms-$VERSION-sev-${{ inputs.distrib }}
+          gcloud beta compute --project=$GCP_DEV_PROJECT images create $NEW_IMAGE_NAME --source-image=$IMAGE_NAME --source-image-project=$GCP_DEV_PROJECT
+          gcloud beta compute --project=$GCP_PUBLIC_PROJECT images create $NEW_IMAGE_NAME --source-image=$IMAGE_NAME --source-image-project=$GCP_DEV_PROJECT

.github/workflows/build_docker_image.yml

@@ -89,7 +89,7 @@ jobs:
       - build-and-push-image
     uses: Cosmian/reusable_workflows/.github/workflows/cloudproof_kms_js.yml@develop
     with:
-      branch: feature/covercrypt_rekey
+      branch: v4.0.0
       kms-version: ${{ needs.build-and-push-image.outputs.image-tag }}
 
   cloudproof_java:

.github/workflows/main_release.yml

@@ -182,6 +182,18 @@ jobs:
         with:
           files: ./*.zip
 
+  cosmian_vm:
+    needs:
+      - release
+    uses: ./.github/workflows/build_and_test_cosmian_vm.yml
+    strategy:
+      matrix:
+        distrib: [ubuntu, rhel]
+    name: ${{ matrix.distrib }} -> GCP KMS Cosmian VM image
+    secrets: inherit
+    with:
+      distrib: ${{ matrix.distrib }}
+
   python_publish:
     name: python publish
     needs:

.github/workflows/standalone_workflow_cosmian_vm.yml

@@ -0,0 +1,51 @@
+---
+name: Manually build and push Cosmian VM images
+
+on: workflow_dispatch
+
+jobs:
+  rhel9:
+    uses: ./.github/workflows/build_rhel9.yml
+    secrets: inherit
+    with:
+      toolchain: nightly-2024-01-09
+      archive-name: rhel9
+      commands: |
+        cargo build --release --bins
+
+        # Check binaries
+        target/release/ckms -h
+        target/release/cosmian_kms_server -h
+      artifacts: |
+        target/release/ckms
+        target/release/cosmian_kms_server
+
+  ubuntu-22:
+    uses: ./.github/workflows/build_generic.yml
+    secrets: inherit
+    with:
+      toolchain: nightly-2024-01-09
+      distribution: ubuntu-22.04
+      archive-name: ubuntu_22_04
+      commands: |
+        cargo build --release --bins
+
+        # Check binaries
+        target/release/ckms -h
+        target/release/cosmian_kms_server -h
+      artifacts: |
+        target/release/ckms
+        target/release/cosmian_kms_server
+
+  cosmian_vm:
+    needs:
+      - ubuntu-22
+      - rhel9
+    uses: ./.github/workflows/build_and_test_cosmian_vm.yml
+    strategy:
+      matrix:
+        distrib: [ubuntu, rhel]
+    name: ${{ matrix.distrib }} -> GCP KMS Cosmian VM image
+    secrets: inherit
+    with:
+      distrib: ${{ matrix.distrib }}

.pre-commit-config.yaml

@@ -145,8 +145,8 @@ repos:
   - repo: https://github.com/cisagov/pre-commit-packer
     rev: v0.0.2
     hooks:
-      - id: packer_validate
       - id: packer_fmt
+      - id: packer_validate
 
   - repo: https://github.com/Cosmian/git-hooks.git
     rev: v1.0.25

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.13.1] - 2024-03-08
+
+### Ci
+
+- Add build of GCP images (ubuntu/redhat) [#191](https://github.com/Cosmian/kms/pull/191).
+
 ## [4.13.0] - 2024-03-08
 
 ### Features
@@ -19,6 +25,7 @@ All notable changes to this project will be documented in this file.
 ### Ci
 
 - Add build on RHEL9 [#196](https://github.com/Cosmian/kms/pull/196).
+- Add build of GCP images (ubuntu/redhat) [#191](https://github.com/Cosmian/kms/pull/191).
 
 ### Bug fixes