From a46282050e20461fa1e5c2fd5a934086bb9086db Mon Sep 17 00:00:00 2001 From: Yi Shi <yi.shi@thetradedesk.com> Date: Fri, 13 Oct 2023 14:52:15 +0800 Subject: [PATCH] refine policy --- e2e/e2e.sh | 7 +++-- scripts/azure-cc/README.md | 15 ++++++++-- scripts/azure-cc/arm-template.json | 26 ++++++++-------- .../azure-cc/template-policy.parameters.json | 30 +++++++++++++++++++ scripts/azure-cc/template.parameters.json | 16 +++++----- 5 files changed, 68 insertions(+), 26 deletions(-) create mode 100644 scripts/azure-cc/template-policy.parameters.json diff --git a/e2e/e2e.sh b/e2e/e2e.sh index ecfd55a06..52aa0a6ab 100644 --- a/e2e/e2e.sh +++ b/e2e/e2e.sh @@ -3,7 +3,7 @@ set -x # to facilitate local test # common configs for all enclaves -NGROK_TOKEN= +NGROK_TOKEN=2U9hyPLFDbc8nTny7woMOudqAAN_7HiFVXjjcNiVYcXBD1k5w CORE_VERSION=2.14.5-SNAPSHOT-default OPTOUT_VERSION=2.6.18-60727cf243-default @@ -12,15 +12,16 @@ TEST_GCP_OIDC=false IMAGE_HASH= # Azure CC enclave configs -TEST_AZURE_CC=false +TEST_AZURE_CC=true # TODO(lun.wang) eventually digest may be derived via IMAGE_HASH, and no need to be explicitly set -AZURE_CC_POLICY_DIGEST= +AZURE_CC_POLICY_DIGEST=3e1f6eb87bd7b73c618cd1522abbb2d3a8a1baf50c10c78a186db347b962e331 # replace below with your local repo root of uid2-core and uid2-optout CORE_ROOT="../../uid2-core" OPTOUT_ROOT="../../uid2-optout" # copy to a different folder in local to avoid data pollution +rm -rf "./e2e-target" cp -rf "./e2e/" "./e2e-target" cd ./e2e-target diff --git a/scripts/azure-cc/README.md b/scripts/azure-cc/README.md index cb4dd8df5..cb97f1d61 100644 --- a/scripts/azure-cc/README.md +++ b/scripts/azure-cc/README.md @@ -1,7 +1,18 @@ # UID2 Operator - Azure Confidential Container package -## Generate deployment ARM +## Generate CCE policy + +Note: only `deploymentEnvironment` and `image` need to be specified. Other empty parameters are wildcards. + +``` +az confcom acipolicygen -a arm-template.json -p template-policy.parameters.json --approve-wildcards -y --debug-mode +``` + +## Deploy ``` -az confcom acipolicygen -a .\arm-template.json -p .\template.parameters.json --debug-mode +RESOURCE_GROUP=uid-enclave-test +az deployment group create --resource-group $RESOURCE_GROUP --name rollout \ + --template-file arm-template.json \ + --parameters @template.parameters.json ``` \ No newline at end of file diff --git a/scripts/azure-cc/arm-template.json b/scripts/azure-cc/arm-template.json index abee1dead..3778f3bec 100644 --- a/scripts/azure-cc/arm-template.json +++ b/scripts/azure-cc/arm-template.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { - "name": { + "containerGroupName": { "type": "string", "defaultValue": "uid2-operator", "metadata": { @@ -22,31 +22,31 @@ "description": "ManagedIdentity to launch the container" } }, - "vault-name": { + "vaultName": { "type": "string", "metadata": { "description": "Vault name" } }, - "operator-key-secret-name": { + "operatorKeySecretName": { "type": "string", "metadata": { "description": "Operator key secret name" } }, - "deployment-environment": { + "deploymentEnvironment": { "type": "string", "metadata": { "description": "Deployment environment" } }, - "core-base-url": { + "coreBaseUrl": { "type": "string", "metadata": { "description": "UID2 core base url override" } }, - "optout-base-url": { + "optoutBaseUrl": { "type": "string", "metadata": { "description": "UID2 optout base url override" @@ -57,7 +57,7 @@ { "type": "Microsoft.ContainerInstance/containerGroups", "apiVersion": "2023-05-01", - "name": "[parameters('name')]", + "name": "[parameters('containerGroupName')]", "location": "[resourceGroup().location]", "identity": { "type": "userAssigned", @@ -115,23 +115,23 @@ "environmentVariables": [ { "name": "VAULT_NAME", - "value": "[parameters('vault-name')]" + "value": "[parameters('vaultName')]" }, { "name": "OPERATOR_KEY_SECRET_NAME", - "value": "[parameters('operator-key-secret-name')]" + "value": "[parameters('operatorKeySecretName')]" }, { "name": "DEPLOYMENT_ENVIRONMENT", - "value": "[parameters('deployment-environment')]" + "value": "[parameters('deploymentEnvironment')]" }, { "name": "CORE_BASE_URL", - "value": "[parameters('core-base-url')]" + "value": "[parameters('coreBaseUrl')]" }, { "name": "OPTOUT_BASE_URL", - "value": "[parameters('optout-base-url')]" + "value": "[parameters('optoutBaseUrl')]" } ] } @@ -155,7 +155,7 @@ "outputs": { "containerIPv4Address": { "type": "string", - "value": "[reference(resourceId('Microsoft.ContainerInstance/containerGroups', parameters('name'))).ipAddress.ip]" + "value": "[reference(resourceId('Microsoft.ContainerInstance/containerGroups', parameters('containerGroupName'))).ipAddress.ip]" } } } diff --git a/scripts/azure-cc/template-policy.parameters.json b/scripts/azure-cc/template-policy.parameters.json new file mode 100644 index 000000000..813174066 --- /dev/null +++ b/scripts/azure-cc/template-policy.parameters.json @@ -0,0 +1,30 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "containerGroupName": { + "value": "" + }, + "image": { + "value": "ghcr.io/iabtechlab/uid2-operator:5.17.12-SNAPSHOT-azure-cc" + }, + "identity": { + "value": "" + }, + "vaultName": { + "value": "" + }, + "operatorKeySecretName": { + "value": "" + }, + "deploymentEnvironment": { + "value": "integ" + }, + "coreBaseUrl": { + "value": "" + }, + "optoutBaseUrl": { + "value": "" + } + } +} \ No newline at end of file diff --git a/scripts/azure-cc/template.parameters.json b/scripts/azure-cc/template.parameters.json index 226009a24..febd26a68 100644 --- a/scripts/azure-cc/template.parameters.json +++ b/scripts/azure-cc/template.parameters.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { - "name": { + "containerGroupName": { "value": "ysh-uid2-operator" }, "image": { @@ -11,20 +11,20 @@ "identity": { "value": "uid-operator" }, - "vault-name": { + "vaultName": { "value": "uid-operator" }, - "operator-key-secret-name": { + "operatorKeySecretName": { "value": "operator-key" }, - "deployment-environment": { + "deploymentEnvironment": { "value": "integ" }, - "core-base-url": { - "value": "<>" + "coreBaseUrl": { + "value": "https://943b-58-246-6-18.ngrok-free.app" }, - "optout-base-url": { - "value": "<>" + "optoutBaseUrl": { + "value": "https://3272-58-246-6-18.ngrok-free.app" } } } \ No newline at end of file