Skip to content

trustops/trustworthy-ci-pipelines

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
examples
examples
 
 
utils
utils
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
connect.nix
connect.nix
 
 
install.nix
install.nix
 
 

Repository files navigation

Trustworthy CI Pipelines Demonstrator

This repository contains source code used to demonstrate the implementation of the Trustworthy CI pipelines architecture detailed in the paper:

  1. First, it sets up a multi-node Kubernetes cluster, using k3s, and installs Argo Workflows and Portainer. It also installs and enables the Kata Containers + Confidential Containers runtimes for the TEE VMs (e.g. kata-qemu-tdx). If your system does not have TEE capabilities, you can fall back to a non-TEE Kata VM runtime (e.g. kata-qemu). This is a placeholder demonstrator, while technology like Confidential Containers (built upon the Kata runtime) keep maturing. The missing capabilities are: memory encryption, attestation, and other TEE features. Similarly, automated key management capabilities are also missing, but can be integrated following the documentation. In this demo, we skip these broader integrations and simulate their use.
  2. In the examples folder, you can find workflow examples that can be imported into Argo Workflows. Argo is also configured to listen to webhooks from GitLab, to trigger CI pipelines upon specific events in the repository. Follow the instructions in the GitLab documentation and Argo Workflows documentation to configure it. It is not a crucial part of the demonstrator, because the repository used can be cloned from anywhere and triggered manually.
  3. The source repository should, however, contain commit signatures and the public keys of the authorized signers should be captured. In examples/test-app.trustops.nix, you can find an example of the commit signature verification.

To run the demonstrator, you need Nix.

Setting up the k3s cluster:

VM k3s hosts are orchestrated using kcli.

First, under the utils folder, create a file named kcli_plan.yml. The template file template.kcli_plan.yml contains template configurations that can be copied:

cp utils/template.kcli_plan.yml utils/kcli_plan.yml

Then, if Nix is installed in your system, do:

# Install the k3s cluster
nix-shell install.nix

This will create a kcli plan named k3s-cluster, deploying the VMs, and bootstrapping a k3s cluster. To modify the configuration, edit kcli_plan.yml and/or k3sup.py before running install.nix.

Follow the command line instructions to access the UIs of Argo Workflows, Portainer, and MinIO.

Note: To delete the plan, run kcli delete plan k3s-cluster

If you exit the Nix shell, you can reconnect without having to install the k3s cluster again:

# Connect back to kcli
nix-shell connect.nix

Examples:

The folder examples contains some workflow examples to be imported into Argo Workflows.

About

First prototype of a Trustworthy CI Pipeline

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages