Skip to content

Handle sidecar-digest overrides when releasing from an ACR #8

Handle sidecar-digest overrides when releasing from an ACR

Handle sidecar-digest overrides when releasing from an ACR #8

Workflow file for this run

name: "PR Validation: CCF Provider"
on:
workflow_dispatch:
pull_request:
branches:
- main
- release
permissions:
id-token: write
contents: read # This is required for actions/checkout
checks: write # This is required to generate the test report
# When a new revision is pushed to a PR, cancel all in-progress CI runs for that
# PR. See https://docs.github.com/en/actions/using-jobs/using-concurrency
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
build-containers:
runs-on: ["self-hosted", "1ES.Pool=azure-cleanroom-public"]
environment: pr
env:
AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
RUN_ID: ${{ github.run_id }}
JOB_ID: ${{ github.job }}
steps:
- name: Delete huge unnecessary tools folder # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
run: rm -rf /opt/hostedtoolcache
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Add docker user
shell: bash
run: sudo usermod -aG docker $USER
- shell: pwsh
run: Install-Module -Name powershell-yaml -Force
# build-ccf-network-security-policy.ps1 uses confcom.
- name: Install confcom extension
shell: pwsh
run: |
az extension add --name confcom -y --allow-preview true
az version
- name: Login to Azure and refresh token
uses: ./.github/actions/login-to-azure
env:
CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Log in to Azure Container Registry
shell: pwsh
run: az acr login -n ${{ vars.ACR_URL }}
- name: Build CCF containers
run: pwsh ./build/ccf/build-ccf-infra-containers.ps1 -tag ${{ github.run_id }} -repo ${{ vars.ACR_URL }} -push -pushPolicy
docker-operator-recovery:
runs-on: ["self-hosted", "1ES.Pool=azure-cleanroom-public"]
environment: pr
needs: [build-containers]
env:
RUN_ID: ${{ github.run_id }}
JOB_ID: ${{ github.job }}
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Login to Azure and refresh token
uses: ./.github/actions/login-to-azure
env:
CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Deploy local virtual CCF network via CCF provider
run: pwsh ./samples/ccf/ccf-provider/azcli/deploy-ccf.ps1 -infraType virtual -nodeCount 3 -registryUrl ${{ vars.ACR_URL }} -tag ${{ github.run_id }}
- name: Dump cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs ccf-provider-governance-cgs-client-1
- name: Dump ccf-provider-client logs
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Test CGS sample on a local virtual CCF network deployed via CCF provider
run: pwsh ./samples/ccf/ccf-provider/azcli/deploy-cgs.ps1
- name: Dump member0 cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs member0-governance-cgs-client-1
- name: Recover local virtual CCF network via operator recovery
run: pwsh ./samples/ccf/ccf-provider/azcli/recover-ccf.ps1 -nodeCount 3
- name: Validate CGS state after recovery
run: pwsh ./samples/ccf/ccf-provider/azcli/validate-cgs-recovery.ps1
- name: Dump ccf-provider-client logs after recovery
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
# docker-operator-recovery-new-name:
# runs-on: ["self-hosted", "1ES.Pool=azure-cleanroom-public"]
# environment: pr
# needs: [build-containers]
# env:
# RUN_ID: ${{ github.run_id }}
# JOB_ID: ${{ github.job }}
# steps:
# - uses: actions/checkout@v4
# with:
# submodules: recursive
# - name: Login to Azure and refresh token
# uses: ./.github/actions/login-to-azure
# env:
# CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
# TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
# SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
#
# - name: Deploy local virtual CCF network via CCF provider
# run: pwsh ./samples/ccf/ccf-provider/azcli/deploy-ccf.ps1 -infraType virtual -nodeCount 3 -registryUrl ${{ vars.ACR_URL }} -tag ${{ github.run_id }}
# - name: Dump cgs-client logs
# if: ${{ !cancelled() }}
# shell: pwsh
# run: docker logs ccf-provider-governance-cgs-client-1
# - name: Dump ccf-provider-client logs
# shell: pwsh
# if: ${{ !cancelled() }}
# run: docker logs ccf-provider-client-1
# - name: Test CGS sample on a local virtual CCF network deployed via CCF provider
# # Trigger snapshot post completion as this recovery is only off a snapshot
# # (and no committed ledger files or the latest RW ledger file) so that recovery has
# # the latest data available.
# run: pwsh ./samples/ccf/ccf-provider/azcli/deploy-cgs.ps1 -triggerSnapshotOnCompletion
# - name: Dump member0 cgs-client logs
# if: ${{ !cancelled() }}
# shell: pwsh
# run: docker logs member0-governance-cgs-client-1
# - name: Recover local virtual CCF network via operator recovery
# run: pwsh ./samples/ccf/ccf-provider/azcli/recover-ccf.ps1 -nodeCount 3 -targetNetworkName testnet-virtual-r
# - name: Validate CGS state after recovery
# run: pwsh ./samples/ccf/ccf-provider/azcli/validate-cgs-recovery.ps1 -targetNetworkName testnet-virtual-r
# - name: Dump ccf-provider-client logs after recovery
# shell: pwsh
# if: ${{ !cancelled() }}
# run: docker logs ccf-provider-client-1
docker-confidential-recovery:
runs-on: ["self-hosted", "1ES.Pool=azure-cleanroom-public"]
environment: pr
needs: [build-containers]
env:
RUN_ID: ${{ github.run_id }}
JOB_ID: ${{ github.job }}
AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Login to Azure and refresh token
uses: ./.github/actions/login-to-azure
env:
CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Deploy local virtual CCF network via CCF provider
run: pwsh ./samples/ccf/ccf-provider/azcli/deploy-ccf.ps1 -infraType virtual -nodeCount 3 -confidentialRecovery -registryUrl ${{ vars.ACR_URL }} -tag ${{ github.run_id }}
- name: Dump cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs ccf-provider-governance-cgs-client-1
- name: Dump ccf-provider-client logs
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Dump ccf-recovery-agent logs
shell: pwsh
if: ${{ !cancelled() }}
run: pwsh ./samples/ccf/ccf-provider/azcli/show-docker-logs.ps1 -label "ccf-network/type=recovery-agent"
- name: Dump ccf-recovery-service logs
shell: pwsh
if: ${{ !cancelled() }}
run: pwsh ./samples/ccf/ccf-provider/azcli/show-docker-logs.ps1 -label "ccf-recovery-service/type=recovery-service"
- name: Test CGS sample on a local virtual CCF network deployed via CCF provider
run: pwsh ./samples/ccf/ccf-provider/azcli/deploy-cgs.ps1
- name: Dump member0 cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs member0-governance-cgs-client-1
- name: Recover local virtual CCF network via confidential recovery
run: pwsh ./samples/ccf/ccf-provider/azcli/recover-ccf.ps1 -nodeCount 3 -confidentialRecovery
- name: Validate CGS state after recovery
run: pwsh ./samples/ccf/ccf-provider/azcli/validate-cgs-recovery.ps1
- name: Dump ccf-provider-client logs after recovery
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Dump ccf-recovery-agent logs after recovery
shell: pwsh
if: ${{ !cancelled() }}
run: pwsh ./samples/ccf/ccf-provider/azcli/show-docker-logs.ps1 -label "ccf-network/type=recovery-agent"
- name: Dump ccf-recovery-service logs after recovery
shell: pwsh
if: ${{ !cancelled() }}
run: pwsh ./samples/ccf/ccf-provider/azcli/show-docker-logs.ps1 -label "ccf-recovery-service/type=recovery-service"
docker-confidential-recovery-onestep:
runs-on: ["self-hosted", "1ES.Pool=azure-cleanroom-public"]
environment: pr
needs: [build-containers]
env:
RUN_ID: ${{ github.run_id }}
JOB_ID: ${{ github.job }}
AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Login to Azure and refresh token
uses: ./.github/actions/login-to-azure
env:
CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Deploy local virtual CCF network via CCF provider
run: pwsh ./samples/ccf/ccf-provider/azcli/deploy-ccf.ps1 -infraType virtual -nodeCount 3 -confidentialRecovery -oneStepConfigureConfidentialRecovery -registryUrl ${{ vars.ACR_URL }} -tag ${{ github.run_id }}
- name: Dump cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs ccf-provider-governance-cgs-client-1
- name: Dump ccf-provider-client logs
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Dump ccf-recovery-agent logs
shell: pwsh
if: ${{ !cancelled() }}
run: pwsh ./samples/ccf/ccf-provider/azcli/show-docker-logs.ps1 -label "ccf-network/type=recovery-agent"
- name: Dump ccf-recovery-service logs
shell: pwsh
if: ${{ !cancelled() }}
run: pwsh ./samples/ccf/ccf-provider/azcli/show-docker-logs.ps1 -label "ccf-recovery-service/type=recovery-service"
- name: Test CGS sample on a local virtual CCF network deployed via CCF provider
run: pwsh ./samples/ccf/ccf-provider/azcli/deploy-cgs.ps1
- name: Dump member0 cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs member0-governance-cgs-client-1
- name: Recover local virtual CCF network via confidential recovery
run: pwsh ./samples/ccf/ccf-provider/azcli/recover-ccf.ps1 -nodeCount 3 -confidentialRecovery -oneStepRecovery
- name: Validate CGS state after recovery
run: pwsh ./samples/ccf/ccf-provider/azcli/validate-cgs-recovery.ps1
- name: Dump ccf-provider-client logs after recovery
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Dump ccf-recovery-agent logs after recovery
shell: pwsh
if: ${{ !cancelled() }}
run: pwsh ./samples/ccf/ccf-provider/azcli/show-docker-logs.ps1 -label "ccf-network/type=recovery-agent"
- name: Dump ccf-recovery-service logs after recovery
shell: pwsh
if: ${{ !cancelled() }}
run: pwsh ./samples/ccf/ccf-provider/azcli/show-docker-logs.ps1 -label "ccf-recovery-service/type=recovery-service"
aci:
runs-on: ["self-hosted", "1ES.Pool=azure-cleanroom-public"]
environment: pr
needs: [build-containers]
env:
RUN_ID: ${{ github.run_id }}
JOB_ID: ${{ github.job }}
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Login to Azure and refresh token
uses: ./.github/actions/login-to-azure
env:
CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Deploy a virtual ACI CCF network via CCF provider
# TODO (gsinha): Passing nodeCount as 1 and -NoTest (which does scale up) as an N node cluster is at times failing to join the start node with an SSL error.
run: pwsh ./samples/ccf/ccf-provider/azcli/deploy-ccf.ps1 -infraType virtualaci -nodeCount 1 -NoTest -registryUrl ${{ vars.ACR_URL }} -tag ${{ github.run_id }}
- name: Dump cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs ccf-provider-governance-cgs-client-1
- name: Dump ccf-provider-client logs
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Test CGS sample on a virtual ACI CCF network deployed via CCF provider
run: pwsh ./samples/ccf/ccf-provider/azcli/deploy-cgs.ps1
- name: Dump member0 cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs member0-governance-cgs-client-1
- name: Delete resource groups
if: success()
shell: pwsh
run: ./samples/ccf/ccf-provider/azcli/remove-resources.ps1 -tag "github_actions=ccf-network-${{ github.job }}-${{ github.run_id }}"
caci-local-storage:
runs-on: ["self-hosted", "1ES.Pool=azure-cleanroom-public"]
environment: pr
needs: [build-containers]
env:
RUN_ID: ${{ github.run_id }}
JOB_ID: ${{ github.job }}
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Login to Azure and refresh token
uses: ./.github/actions/login-to-azure
env:
CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Deploy a CACI CCF network via CCF provider
# TODO (gsinha): Passing nodeCount as 1 and as an N node cluster is at times failing to join the start node with an SSL error.
run: >
pwsh ./samples/ccf/ccf-provider/azcli/deploy-ccf.ps1
-infraType caci
-nodeCount 1
-securityPolicyCreationOption cached-debug
-nodeStorageType localfs
-registryUrl ${{ vars.ACR_URL }}
-tag ${{ github.run_id }}
- name: Dump cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs ccf-provider-governance-cgs-client-1
- name: Dump ccf-provider-client logs
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Test CGS sample on a CACI CCF network deployed via CCF provider
run: pwsh ./samples/ccf/ccf-provider/azcli/deploy-cgs.ps1
- name: Dump member0 cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs member0-governance-cgs-client-1
- name: Delete resource groups
if: success()
shell: pwsh
run: ./samples/ccf/ccf-provider/azcli/remove-resources.ps1 -tag "github_actions=ccf-network-${{ github.job }}-${{ github.run_id }}"
caci-operator-recovery:
runs-on: ["self-hosted", "1ES.Pool=azure-cleanroom-public"]
environment: pr
needs: [build-containers]
env:
AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
RUN_ID: ${{ github.run_id }}
JOB_ID: ${{ github.job }}
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Login to Azure and refresh token
uses: ./.github/actions/login-to-azure
env:
CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Deploy a CACI CCF network via CCF provider
# TODO (gsinha): Passing nodeCount as 1 as creating an N node cluster is at times failing to join the start node with an SSL error.
# Scaling up to N nodes after creating a 1 node network does not hit the issue.
run: >
pwsh ./samples/ccf/ccf-provider/azcli/deploy-ccf.ps1
-infraType caci
-nodeCount 1
-securityPolicyCreationOption cached-debug
-registryUrl ${{ vars.ACR_URL }}
-tag ${{ github.run_id }}
- name: Dump cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs ccf-provider-governance-cgs-client-1
- name: Dump ccf-provider-client logs
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Test CGS sample on a CACI CCF network deployed via CCF provider
run: pwsh ./samples/ccf/ccf-provider/azcli/deploy-cgs.ps1
- name: Dump member0 cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs member0-governance-cgs-client-1
- name: Recover single node CACI CCF network via operator recovery in one step
run: >
pwsh ./samples/ccf/ccf-provider/azcli/recover-ccf.ps1
-oneStepRecovery
-nodeCount 1
-securityPolicyCreationOption cached-debug
- name: Validate CGS state after recovery
run: pwsh ./samples/ccf/ccf-provider/azcli/validate-cgs-recovery.ps1
- name: Upgrade single node CACI CCF network via scale up
run: >
pwsh ./samples/ccf/ccf-provider/azcli/test-ccf-upgrade-via-scale-up.ps1
- name: Validate CGS state after upgrade (scale up)
run: pwsh ./samples/ccf/ccf-provider/azcli/validate-cgs-recovery.ps1
- name: Dump ccf-provider-client logs after recovery
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Delete resource groups
if: success()
shell: pwsh
run: ./samples/ccf/ccf-provider/azcli/remove-resources.ps1 -tag "github_actions=ccf-network-${{ github.job }}-${{ github.run_id }}"
caci-confidential-recovery:
runs-on: ["self-hosted", "1ES.Pool=azure-cleanroom-public"]
environment: pr
needs: [build-containers]
env:
AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
RUN_ID: ${{ github.run_id }}
JOB_ID: ${{ github.job }}
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Login to Azure and refresh token
uses: ./.github/actions/login-to-azure
env:
CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Deploy a CACI CCF network via CCF provider
# TODO (gsinha): Passing nodeCount as 1 as creating an N node cluster is at times failing to join the start node with an SSL error.
# Scaling up to N nodes after creating a 1 node network does not hit the issue.
run: >
pwsh ./samples/ccf/ccf-provider/azcli/deploy-ccf.ps1
-infraType caci
-nodeCount 1
-securityPolicyCreationOption cached-debug
-confidentialRecovery
-oneStepConfigureConfidentialRecovery
-registryUrl ${{ vars.ACR_URL }}
-tag ${{ github.run_id }}
- name: Dump cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs ccf-provider-governance-cgs-client-1
- name: Dump ccf-provider-client logs
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Test CGS sample on a CACI CCF network deployed via CCF provider
run: pwsh ./samples/ccf/ccf-provider/azcli/deploy-cgs.ps1
- name: Dump member0 cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs member0-governance-cgs-client-1
- name: Recover single node CACI CCF network via confidential recovery
run: >
pwsh ./samples/ccf/ccf-provider/azcli/recover-ccf.ps1
-nodeCount 1
-confidentialRecovery
-securityPolicyCreationOption cached-debug
- name: Validate CGS state after recovery
run: pwsh ./samples/ccf/ccf-provider/azcli/validate-cgs-recovery.ps1
- name: Dump ccf-provider-client logs after recovery
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Delete resource groups
if: success()
shell: pwsh
run: ./samples/ccf/ccf-provider/azcli/remove-resources.ps1 -tag "github_actions=ccf-network-${{ github.job }}-${{ github.run_id }}"
caci-confidential-recovery-ccf-upgrade:
runs-on: ["self-hosted", "1ES.Pool=azure-cleanroom-public"]
environment: pr
needs: [build-containers]
env:
AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
RUN_ID: ${{ github.run_id }}
JOB_ID: ${{ github.job }}
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Login to Azure and refresh token
uses: ./.github/actions/login-to-azure
env:
CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Deploy a CACI CCF network via CCF provider
# TODO (gsinha): Passing nodeCount as 1 as creating an N node cluster is at times failing to join the start node with an SSL error.
# Scaling up to N nodes after creating a 1 node network does not hit the issue.
# Passing -NoTest to avoid scale up testing to save time. Other tests cover it.
run: >
pwsh ./samples/ccf/ccf-provider/azcli/deploy-ccf.ps1
-infraType caci
-nodeCount 1
-NoTest
-securityPolicyCreationOption cached-debug
-confidentialRecovery
-oneStepConfigureConfidentialRecovery
-registryUrl ${{ vars.ACR_URL }}
-tag ${{ github.run_id }}
- name: Dump cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs ccf-provider-governance-cgs-client-1
- name: Dump ccf-provider-client logs
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Test CGS sample on a CACI CCF network deployed via CCF provider
run: pwsh ./samples/ccf/ccf-provider/azcli/deploy-cgs.ps1
- name: Dump member0 cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs member0-governance-cgs-client-1
- name: Upgrade single node CACI CCF network via confidential recovery
run: >
pwsh ./samples/ccf/ccf-provider/azcli/test-ccf-upgrade-via-confidential-recovery.ps1
- name: Validate CGS state after upgrade (recovery)
run: pwsh ./samples/ccf/ccf-provider/azcli/validate-cgs-recovery.ps1
- name: Dump ccf-provider-client logs after recovery
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Upgrade single node CACI CCF network via scale up
run: >
pwsh ./samples/ccf/ccf-provider/azcli/test-ccf-upgrade-via-scale-up.ps1
- name: Validate CGS state after upgrade (scale up)
run: pwsh ./samples/ccf/ccf-provider/azcli/validate-cgs-recovery.ps1
- name: Dump ccf-provider-client logs after scale up
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Delete resource groups
if: success()
shell: pwsh
run: ./samples/ccf/ccf-provider/azcli/remove-resources.ps1 -tag "github_actions=ccf-network-${{ github.job }}-${{ github.run_id }}"
caci-confidential-recovery-recsvc-upgrade:
runs-on: ["self-hosted", "1ES.Pool=azure-cleanroom-public"]
environment: pr
needs: [build-containers]
env:
AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
RUN_ID: ${{ github.run_id }}
JOB_ID: ${{ github.job }}
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Login to Azure and refresh token
uses: ./.github/actions/login-to-azure
env:
CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Deploy a CACI CCF network via CCF provider
# TODO (gsinha): Passing nodeCount as 1 as creating an N node cluster is at times failing to join the start node with an SSL error.
# Scaling up to N nodes after creating a 1 node network does not hit the issue.
# Passing -NoTest to avoid scale up testing to save time. Other tests cover it.
run: >
pwsh ./samples/ccf/ccf-provider/azcli/deploy-ccf.ps1
-infraType caci
-nodeCount 1
-NoTest
-securityPolicyCreationOption cached-debug
-confidentialRecovery
-oneStepConfigureConfidentialRecovery
-registryUrl ${{ vars.ACR_URL }}
-tag ${{ github.run_id }}
- name: Dump cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs ccf-provider-governance-cgs-client-1
- name: Dump ccf-provider-client logs
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Test CGS sample on a CACI CCF network deployed via CCF provider
run: pwsh ./samples/ccf/ccf-provider/azcli/deploy-cgs.ps1
- name: Dump member0 cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs member0-governance-cgs-client-1
- name: Upgrade recovery service and recover single node CACI CCF network
run: >
pwsh ./samples/ccf/ccf-provider/azcli/test-recovery-service-upgrade.ps1
-nodeCount 1
-OneStepRecovery
-securityPolicyCreationOption cached-debug
- name: Validate CGS state after upgrade (recovery)
run: pwsh ./samples/ccf/ccf-provider/azcli/validate-cgs-recovery.ps1
- name: Dump ccf-provider-client logs after recovery service upgrade
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Delete resource groups
if: success()
shell: pwsh
run: ./samples/ccf/ccf-provider/azcli/remove-resources.ps1 -tag "github_actions=ccf-network-${{ github.job }}-${{ github.run_id }}"
caci-allow-all-confidential-recovery:
runs-on: ["self-hosted", "1ES.Pool=azure-cleanroom-public"]
environment: pr
needs: [build-containers]
env:
AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
RUN_ID: ${{ github.run_id }}
JOB_ID: ${{ github.job }}
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Login to Azure and refresh token
uses: ./.github/actions/login-to-azure
env:
CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Deploy a CACI CCF network via CCF provider
# TODO (gsinha): Passing nodeCount as 1 as creating an N node cluster is at times failing to join the start node with an SSL error.
# Scaling up to N nodes after creating a 1 node network does not hit the issue.
run: >
pwsh ./samples/ccf/ccf-provider/azcli/deploy-ccf.ps1
-infraType caci
-nodeCount 1
-securityPolicyCreationOption allow-all
-confidentialRecovery
-oneStepConfigureConfidentialRecovery
-registryUrl ${{ vars.ACR_URL }}
-tag ${{ github.run_id }}
- name: Dump cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs ccf-provider-governance-cgs-client-1
- name: Dump ccf-provider-client logs
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Test CGS sample on a CACI CCF network deployed via CCF provider
run: pwsh ./samples/ccf/ccf-provider/azcli/deploy-cgs.ps1
- name: Dump member0 cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs member0-governance-cgs-client-1
- name: Recover single node CACI CCF network via confidential recovery
run: >
pwsh ./samples/ccf/ccf-provider/azcli/recover-ccf.ps1
-nodeCount 1
-confidentialRecovery
-securityPolicyCreationOption allow-all
- name: Validate CGS state after recovery
run: pwsh ./samples/ccf/ccf-provider/azcli/validate-cgs-recovery.ps1
- name: Dump ccf-provider-client logs after recovery
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Delete resource groups
if: success()
shell: pwsh
run: ./samples/ccf/ccf-provider/azcli/remove-resources.ps1 -tag "github_actions=ccf-network-${{ github.job }}-${{ github.run_id }}"
caci-confidential-recovery-onestep:
runs-on: ["self-hosted", "1ES.Pool=azure-cleanroom-public"]
environment: pr
needs: [build-containers]
env:
AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
RUN_ID: ${{ github.run_id }}
JOB_ID: ${{ github.job }}
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Login to Azure and refresh token
uses: ./.github/actions/login-to-azure
env:
CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Deploy a CACI CCF network via CCF provider
# TODO (gsinha): Passing nodeCount as 1 as creating an N node cluster is at times failing to join the start node with an SSL error.
# Scaling up to N nodes after creating a 1 node network does not hit the issue.
run: >
pwsh ./samples/ccf/ccf-provider/azcli/deploy-ccf.ps1
-infraType caci
-nodeCount 1
-securityPolicyCreationOption cached-debug
-confidentialRecovery
-oneStepConfigureConfidentialRecovery
-registryUrl ${{ vars.ACR_URL }}
-tag ${{ github.run_id }}
-location westus
- name: Dump cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs ccf-provider-governance-cgs-client-1
- name: Dump ccf-provider-client logs
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Test CGS sample on a CACI CCF network deployed via CCF provider
run: pwsh ./samples/ccf/ccf-provider/azcli/deploy-cgs.ps1
- name: Dump member0 cgs-client logs
if: ${{ !cancelled() }}
shell: pwsh
run: docker logs member0-governance-cgs-client-1
- name: Recover single node CACI CCF network via confidential recovery in one step
run: >
pwsh ./samples/ccf/ccf-provider/azcli/recover-ccf.ps1
-nodeCount 1
-oneStepRecovery
-confidentialRecovery
-securityPolicyCreationOption cached-debug
- name: Validate CGS state after recovery
run: pwsh ./samples/ccf/ccf-provider/azcli/validate-cgs-recovery.ps1
- name: Dump ccf-provider-client logs after recovery
shell: pwsh
if: ${{ !cancelled() }}
run: docker logs ccf-provider-client-1
- name: Delete resource groups
if: success()
shell: pwsh
run: ./samples/ccf/ccf-provider/azcli/remove-resources.ps1 -tag "github_actions=ccf-network-${{ github.job }}-${{ github.run_id }}"