Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ansible role for GCP #1

Merged
merged 1 commit into from
Aug 9, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,2 +1,8 @@
# keylime-cloud-environments
Setup instructions and scripts for running Keylime in cloud environments
# Keylime Cloud Environments
Setup instructions and scripts for running [Keylime](https://github.com/keylime/keylime) in cloud environments. \
The set up for each cloud environment is located in a seperate directory. For use, follow the instructions found in their respective README.

## Keylime on Google Cloud
Ansible role to deploy a Fedora 35 instance on the Google Cloud Platform with [Keylime](https://github.com/keylime/keylime) and the [rust agent](https://github.com/keylime/rust-keylime) against a Virtualized TPM.

See the [README](https://github.com/keylime/keylime-cloud-environments/keylime-ansible-gcp/README.md) for further information on set up and usage.
45 changes: 45 additions & 0 deletions keylime-ansible-gcp/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# Ansible Keylime for Google Cloud
Ansible role to deploy a Fedora 35 instance on the Google Cloud Platform with a Virtualized TPM.

Contributions are welcome, should anyone wish to have this role provision other Linux distributions.

For details on using Keylime, please consult the
[project documentation](https://keylime-docs.readthedocs.io/en/latest/).

For details on the Rust agent, please consult the [repository](https://github.com/keylime/rust-keylime).

## Configuration
1. [Install ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html). \
Note: must use Ansible 2.9+
2. Install dependecies for the Ansible-GCP module \
`$ pip3 install requests google-auth`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe add that openssl is required / helpful

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd say ansible is also a dependency!

3. [Create GCP project](https://cloud.google.com/resource-manager/docs/creating-managing-projects)
4. Enable Compute Engine for this project. \
To do so, select the naivgation menu (the three bars to the left of the GCP logo), hover over "APIs & Services", click "Dashboard", select "+ ENABLE APIS AND SERVICES", search for "Compute Engine API", select and enable.
lkatalin marked this conversation as resolved.
Show resolved Hide resolved
5. [Create a GCP service account](https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount) for ansible's use.
6. [Create and download keys linked to this service account](https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts&zippy=%2Cservice-accounts). Note: download the keys in JSON format.
7. Create ssh key pair \
` ssh-keygen -t rsa -f ~/.ssh/gcp_ansible_key`
8. Add the ssh public key to the Metadata section of Compute Engine in Google Cloud Platform. (Compute Engine>Settings>Metadata>SSH) \
`# cat ~/.ssh/gcp_ansible_key.pub`
9. Add path to ssh private key to ansible config
1. Create file in the current directory called `ansible.cfg`
2. Indicate the path to your GCP SSH private key in this file. Example:
```
[defaults]
private_key_file = /home/.ssh/gcp_ansible_key
```
10. Run the script to set up the environment.
```
./set_env_var.sh --help
lkatalin marked this conversation as resolved.
Show resolved Hide resolved
Warning: this script parses the GCP service account credential file for the email and project ID.
Usage: ./set_env_var.sh <path to JSON cred file> <GCP region> <GCP zone>
```
## Usage
Run the playbook to create an instance with vTPM.

```bash
ansible-playbook create_gcp_instance.yml
```
## Keylime Installation
To deploy keylime on this new VM against the vTPM, use this [ansible-keylime role](https://github.com/keylime/ansible-keylime)
76 changes: 76 additions & 0 deletions keylime-ansible-gcp/create_gcp_instance.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
---
- hosts: localhost
gather_facts: no
connection: local
vars:
- gcp_project: "{{ lookup('ansible.builtin.env','GCP_PROJECT') }}"
- gcp_cred_kind: "{{ lookup('ansible.builtin.env','GCP_CRED_KIND') }}"
- gcp_cred_file: "{{ lookup('ansible.builtin.env','GCP_CRED_FILE') }}"
- gcp_cred_email: "{{ lookup('ansible.builtin.env','GCP_CRED_EMAIL') }}"
- zone: "{{ lookup('ansible.builtin.env','GCP_ZONE') }}"
- region: "{{ lookup('ansible.builtin.env','GCP_REGION') }}"
tasks:
- name: Create disk mapped from Fedora image
google.cloud.gcp_compute_disk:
name: disk-instance
size_gb: 50
source_image: /projects/fedora-cloud/global/images/fedora-cloud-base-gcp-35-1-2-x86-64
zone: "{{ zone }}"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file }}"
scopes:
- https://www.googleapis.com/auth/compute
state: present
register: disk

- name: Create IPv4 public instance address
google.cloud.gcp_compute_address:
name: address-instance
region: "{{ region }}"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file }}"
scopes:
- https://www.googleapis.com/auth/compute
state: present
register: address

- name: Create the Fedora instance
google.cloud.gcp_compute_instance:
name: keylime
machine_type: e2-medium
disks:
- auto_delete: 'true'
boot: 'true'
source: "{{ disk }}"
shielded_instance_config:
enable_integrity_monitoring: 'no'
enable_secure_boot: 'no'
enable_vtpm: 'yes'
network_interfaces:
- network: null
access_configs:
- name: External NAT
nat_ip: "{{ address }}"
type: ONE_TO_ONE_NAT
zone: "{{ zone }}"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file }}"
service_accounts:
- email: "{{ gcp_cred_email }}"
scopes:
- https://www.googleapis.com/auth/devstorage.read_only
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
- https://www.googleapis.com/auth/service.management.readonly
- https://www.googleapis.com/auth/servicecontrol
- https://www.googleapis.com/auth/trace.append
state: present
status: RUNNING

- name: Show instance details
debug:
msg: "New GCP instance accessible at {{ address.address }}."

26 changes: 26 additions & 0 deletions keylime-ansible-gcp/set_env_var.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
#!/bin/bash
usage() {
echo "Warning: this script parses the GCP service account credential file for the email and project ID."
echo "Usage: ./set_env_var.sh <path to JSON cred file> <GCP region> <GCP zone>"
}
if [[ ($# -ne 3) || ($@ == "--help") || ($@ == "-h") ]]
lkatalin marked this conversation as resolved.
Show resolved Hide resolved
then
usage
exit 1
fi
echo "Warning: this script parses the GCP service account credential file for the email and project ID."
sleep 5
export GCP_REGION="$2"
echo "GCP REGION is set to $GCP_REGION"
export GCP_ZONE="$3"
echo "GCP ZONE is set to $GCP_ZONE"
export GCP_CRED_FILE="$1"
echo "GCP CRED FILE is set to $GCP_CRED_FILE"
export GCP_PROJECT="$(sed -e 's/^"//' -e 's/"$//' <<< "$(jq .project_id $1)")"
echo "GCP PROJECT is set to $GCP_PROJECT"
export GCP_CRED_KIND="serviceaccount"
echo "GCP CRED KIND is set to $GCP_CRED_KIND"
export GCP_CRED_EMAIL="$(sed -e 's/^"//' -e 's/"$//' <<< "$(jq .client_email $1)")"
echo "GCP CRED EMAIL is set to $GCP_CRED_EMAIL"
echo "Launching shell with environment variables"
$SHELL