From b3cc8b200fb8f8c2060264e1a4a54c96e3250866 Mon Sep 17 00:00:00 2001
From: Saul Paredes <saulparedes@microsoft.com>
Date: Mon, 10 Jun 2024 12:10:17 -0700
Subject: [PATCH 1/2] gha: enable autogenerated policy testing on SEV

Enable autogenerated policy testing on SEV

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
---
 tests/integration/kubernetes/gha-run.sh          |  4 +++-
 tests/integration/kubernetes/k8s-policy-pvc.bats |  4 ++--
 tests/integration/kubernetes/tests_common.sh     | 13 +++++++++++++
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh
index 428d127f31..28808ac024 100755
--- a/tests/integration/kubernetes/gha-run.sh
+++ b/tests/integration/kubernetes/gha-run.sh
@@ -272,7 +272,9 @@ function run_tests() {
 		export KUBECONFIG="$HOME/.kcli/clusters/${CLUSTER_NAME:-kata-k8s}/auth/kubeconfig"
 
 	# TODO: enable testing auto-generated policy for other types of hosts too.
-	if [ "${KATA_HOST_OS}" = "cbl-mariner" ] || [ "${KATA_HYPERVISOR}" = "qemu-tdx" ]; then
+	if [ "${KATA_HOST_OS}" = "cbl-mariner" ] || \
+	   [ "${KATA_HYPERVISOR}" = "qemu-tdx" ] || \
+	   [ "${KATA_HYPERVISOR}" = "qemu-sev" ]; then
 		export AUTO_GENERATE_POLICY="yes"
 	fi
 
diff --git a/tests/integration/kubernetes/k8s-policy-pvc.bats b/tests/integration/kubernetes/k8s-policy-pvc.bats
index 7ea6add6cb..100a4bcb9c 100644
--- a/tests/integration/kubernetes/k8s-policy-pvc.bats
+++ b/tests/integration/kubernetes/k8s-policy-pvc.bats
@@ -10,7 +10,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
 
 setup() {
 	auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
-	( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] ) && skip "https://github.com/kata-containers/kata-containers/issues/9846"
+	( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-sev" ] ) && skip "https://github.com/kata-containers/kata-containers/issues/9846"
 
 	pod_name="policy-pod-pvc"
 	pvc_name="policy-dev"
@@ -55,7 +55,7 @@ test_pod_policy_error() {
 
 teardown() {
 	auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
-	( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] ) && skip "https://github.com/kata-containers/kata-containers/issues/9846"
+	( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-sev" ] ) && skip "https://github.com/kata-containers/kata-containers/issues/9846"
 
 	# Debugging information. Don't print the "Message:" line because it contains a truncated policy log.
 	kubectl describe pod "${pod_name}" | grep -v "Message:"
diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh
index ef3e4be2f7..96b9da40df 100644
--- a/tests/integration/kubernetes/tests_common.sh
+++ b/tests/integration/kubernetes/tests_common.sh
@@ -139,6 +139,15 @@ adapt_common_policy_settings_for_tdx() {
 	jq '.common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
 }
 
+# adapt common policy settings for qemu-sev
+adapt_common_policy_settings_for_sev() {
+
+	local settings_dir=$1
+
+	info "Adapting common policy settings for SEV"
+	jq '.kata_config.oci_version = "1.1.0-rc.1" | .common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
+}
+
 # adapt common policy settings for various platforms
 adapt_common_policy_settings() {
 
@@ -147,6 +156,10 @@ adapt_common_policy_settings() {
 	case "${KATA_HYPERVISOR}" in
   		"qemu-tdx")
 			adapt_common_policy_settings_for_tdx "${settings_dir}"
+			;;
+  		"qemu-sev")
+			adapt_common_policy_settings_for_sev "${settings_dir}"
+			;;
 	esac
 }
 

From 57d2ded3e2341c93f1d4180b9fac72efaf20949d Mon Sep 17 00:00:00 2001
From: Saul Paredes <saulparedes@microsoft.com>
Date: Thu, 13 Jun 2024 14:19:44 -0700
Subject: [PATCH 2/2] gha: enable autogenerated policy testing on SEV-SNP

Enable autogenerated policy testing on SEV-SNP

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
---
 tests/integration/kubernetes/gha-run.sh          | 3 ++-
 tests/integration/kubernetes/k8s-policy-pvc.bats | 4 ++--
 tests/integration/kubernetes/tests_common.sh     | 8 +++-----
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh
index 28808ac024..e1ec1faa89 100755
--- a/tests/integration/kubernetes/gha-run.sh
+++ b/tests/integration/kubernetes/gha-run.sh
@@ -274,7 +274,8 @@ function run_tests() {
 	# TODO: enable testing auto-generated policy for other types of hosts too.
 	if [ "${KATA_HOST_OS}" = "cbl-mariner" ] || \
 	   [ "${KATA_HYPERVISOR}" = "qemu-tdx" ] || \
-	   [ "${KATA_HYPERVISOR}" = "qemu-sev" ]; then
+	   [ "${KATA_HYPERVISOR}" = "qemu-sev" ] || \
+	   [ "${KATA_HYPERVISOR}" = "qemu-snp" ]; then
 		export AUTO_GENERATE_POLICY="yes"
 	fi
 
diff --git a/tests/integration/kubernetes/k8s-policy-pvc.bats b/tests/integration/kubernetes/k8s-policy-pvc.bats
index 100a4bcb9c..1176e03bfd 100644
--- a/tests/integration/kubernetes/k8s-policy-pvc.bats
+++ b/tests/integration/kubernetes/k8s-policy-pvc.bats
@@ -10,7 +10,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
 
 setup() {
 	auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
-	( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-sev" ] ) && skip "https://github.com/kata-containers/kata-containers/issues/9846"
+	( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-sev" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] ) && skip "https://github.com/kata-containers/kata-containers/issues/9846"
 
 	pod_name="policy-pod-pvc"
 	pvc_name="policy-dev"
@@ -55,7 +55,7 @@ test_pod_policy_error() {
 
 teardown() {
 	auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
-	( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-sev" ] ) && skip "https://github.com/kata-containers/kata-containers/issues/9846"
+	( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-sev" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] ) && skip "https://github.com/kata-containers/kata-containers/issues/9846"
 
 	# Debugging information. Don't print the "Message:" line because it contains a truncated policy log.
 	kubectl describe pod "${pod_name}" | grep -v "Message:"
diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh
index 96b9da40df..9be10301e6 100644
--- a/tests/integration/kubernetes/tests_common.sh
+++ b/tests/integration/kubernetes/tests_common.sh
@@ -130,18 +130,16 @@ auto_generate_policy_enabled() {
 	[ "${AUTO_GENERATE_POLICY}" == "yes" ]
 }
 
-# adapt common policy settings for tdx
+# adapt common policy settings for tdx or snp
 adapt_common_policy_settings_for_tdx() {
-
 	local settings_dir=$1
 
-	info "Adapting common policy settings for TDX"
+	info "Adapting common policy settings for TDX or SNP"
 	jq '.common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
 }
 
 # adapt common policy settings for qemu-sev
 adapt_common_policy_settings_for_sev() {
-
 	local settings_dir=$1
 
 	info "Adapting common policy settings for SEV"
@@ -154,7 +152,7 @@ adapt_common_policy_settings() {
 	local settings_dir=$1
 
 	case "${KATA_HYPERVISOR}" in
-  		"qemu-tdx")
+  		"qemu-tdx"|"qemu-snp")
 			adapt_common_policy_settings_for_tdx "${settings_dir}"
 			;;
   		"qemu-sev")