Merge pull request #7596 from fidencio/topic/create-image-to-be-used-by-the-confidential-tests

tests: Create image that will be used in the unencrypted confidential tests
2025-09-24 02:07:31 +00:00 · 2023-08-09 17:06:07 +02:00
parent c932369f42 fac8ccf5cd
commit 5cdf981a2b
4 changed files with 72 additions and 3 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -30,6 +30,30 @@ jobs:
      commit-hash: ${{ inputs.commit-hash }}
    secrets: inherit

+  build-and-publish-tee-confidential-unencrypted-image:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Login to Kata Containers ghcr.io
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.commit-hash }}
+
+      - name: Docker build and push
+        uses: docker/build-and-push-action@v3
+        with:
+          tags: ghcr.io/kata-containers/test-images:unencrypted-${{ pr-number }}
+          push: true
+          context: .
+          platforms: linux/amd64, linux/s390x
+          file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile
+
  run-k8s-tests-on-aks:
    needs: publish-kata-deploy-payload-amd64
    uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
@@ -42,7 +66,7 @@ jobs:
    secrets: inherit

  run-k8s-tests-on-sev:
-    needs: publish-kata-deploy-payload-amd64
+    needs: [publish-kata-deploy-payload-amd64, build-and-publish-tee-confidential-unencrypted-image]
    uses: ./.github/workflows/run-k8s-tests-on-sev.yaml
    with:
      registry: ghcr.io
@@ -51,7 +75,7 @@ jobs:
      commit-hash: ${{ inputs.commit-hash }}

  run-k8s-tests-on-snp:
-    needs: publish-kata-deploy-payload-amd64
+    needs: [publish-kata-deploy-payload-amd64, build-and-publish-tee-confidential-unencrypted-image]
    uses: ./.github/workflows/run-k8s-tests-on-snp.yaml
    with:
      registry: ghcr.io
@@ -60,7 +84,7 @@ jobs:
      commit-hash: ${{ inputs.commit-hash }}

  run-k8s-tests-on-tdx:
-    needs: publish-kata-deploy-payload-amd64
+    needs: [publish-kata-deploy-payload-amd64, build-and-publish-tee-confidential-unencrypted-image]
    uses: ./.github/workflows/run-k8s-tests-on-tdx.yaml
    with:
      registry: ghcr.io
--- a/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile
+++ b/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile
@@ -0,0 +1,37 @@
+# Copyright (c) 2023 Intel Corporatiion
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# We know that using latest is error prone, we're taking the risk here.
+# hadolint ignore=DL3007
+FROM alpine:latest
+
+# We don't need a specific version of those packages
+# hadolint ignore=DL3018
+RUN apk add --no-cache curl openssh-server
+
+# Download and install `cpuid`, which will be used to detect
+# whether we're the container is running on a TEE guest
+# hadolint ignore=DL3059
+RUN /bin/sh -c \
+    'ARCH=$(uname -m) && \
+    [[ "${ARCH}" == "x86_64" ]] && \
+    curl -LO https://github.com/klauspost/cpuid/releases/download/v2.2.5/cpuid-Linux_x86_64_2.2.5.tar.gz && \
+    tar -xvzf cpuid-Linux_x86_64_2.2.5.tar.gz  -C /usr/bin && \
+    rm -rf cpuid-Linux_x86_64_2.2.5.tar.gz && \
+    rm -f /usr/bin/LICENSE'
+
+# This is done just to avoid the following error starting sshd
+# `sshd: no hostkeys available -- exiting.`
+# hadolint ignore=DL3059
+RUN ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -P ""
+
+# A password needs to be set for login to work. An empty password is
+# unproblematic as password-based login to root is not allowed.
+# hadolint ignore=DL3059
+RUN passwd -d root
+
+# Generated with `ssh-keygen -t ed25519 -f unencrypted -P "" -C ""`
+COPY ssh/unencrypted.pub /root/.ssh/authorized_keys
+
+ENTRYPOINT ["/usr/sbin/sshd", "-D"]
--- a/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ssh/unencrypted
+++ b/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ssh/unencrypted
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACD5RDTjWd8c793pKpOUGt+/D+Fa7PMVUQtSudt6R8JMYAAAAIh44GnReOBp
+0QAAAAtzc2gtZWQyNTUxOQAAACD5RDTjWd8c793pKpOUGt+/D+Fa7PMVUQtSudt6R8JMYA
+AAAEDwZtSRH/KNwmm/QCMHcif3iMQpGPOr2d12hcQqMY3KJPlENONZ3xzv3ekqk5Qa378P
+4Vrs8xVRC1K523pHwkxgAAAAAAECAwQF
+-----END OPENSSH PRIVATE KEY-----
--- a/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ssh/unencrypted.pub
+++ b/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ssh/unencrypted.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPlENONZ3xzv3ekqk5Qa378P4Vrs8xVRC1K523pHwkxg
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPlENONZ3xzv3ekqk5Qa378P4Vrs8xVRC1K523pHwkxg`