mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-09-24 10:17:21 +00:00
Merge pull request #7596 from fidencio/topic/create-image-to-be-used-by-the-confidential-tests
tests: Create image that will be used in the unencrypted confidential tests
This commit is contained in:
Fabiano Fidêncio
GitHub
30
.github/workflows/ci.yaml
vendored
30
.github/workflows/ci.yaml
vendored
@@ -30,6 +30,30 @@ jobs:
|
|||||||
commit-hash: ${{ inputs.commit-hash }}
|
commit-hash: ${{ inputs.commit-hash }}
|
||||||
secrets: inherit
|
secrets: inherit
|
||||||
|
|
||||||
|
build-and-publish-tee-confidential-unencrypted-image:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Login to Kata Containers ghcr.io
|
||||||
|
uses: docker/login-action@v2
|
||||||
|
with:
|
||||||
|
registry: ghcr.io
|
||||||
|
username: ${{ github.actor }}
|
||||||
|
password: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
|
- name: Checkout code
|
||||||
|
uses: actions/checkout@v3
|
||||||
|
with:
|
||||||
|
ref: ${{ inputs.commit-hash }}
|
||||||
|
|
||||||
|
- name: Docker build and push
|
||||||
|
uses: docker/build-and-push-action@v3
|
||||||
|
with:
|
||||||
|
tags: ghcr.io/kata-containers/test-images:unencrypted-${{ pr-number }}
|
||||||
|
push: true
|
||||||
|
context: .
|
||||||
|
platforms: linux/amd64, linux/s390x
|
||||||
|
file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile
|
||||||
|
|
||||||
run-k8s-tests-on-aks:
|
run-k8s-tests-on-aks:
|
||||||
needs: publish-kata-deploy-payload-amd64
|
needs: publish-kata-deploy-payload-amd64
|
||||||
uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
|
uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
|
||||||
@@ -42,7 +66,7 @@ jobs:
|
|||||||
secrets: inherit
|
secrets: inherit
|
||||||
|
|
||||||
run-k8s-tests-on-sev:
|
run-k8s-tests-on-sev:
|
||||||
needs: publish-kata-deploy-payload-amd64
|
needs: [publish-kata-deploy-payload-amd64, build-and-publish-tee-confidential-unencrypted-image]
|
||||||
uses: ./.github/workflows/run-k8s-tests-on-sev.yaml
|
uses: ./.github/workflows/run-k8s-tests-on-sev.yaml
|
||||||
with:
|
with:
|
||||||
registry: ghcr.io
|
registry: ghcr.io
|
||||||
@@ -51,7 +75,7 @@ jobs:
|
|||||||
commit-hash: ${{ inputs.commit-hash }}
|
commit-hash: ${{ inputs.commit-hash }}
|
||||||
|
|
||||||
run-k8s-tests-on-snp:
|
run-k8s-tests-on-snp:
|
||||||
needs: publish-kata-deploy-payload-amd64
|
needs: [publish-kata-deploy-payload-amd64, build-and-publish-tee-confidential-unencrypted-image]
|
||||||
uses: ./.github/workflows/run-k8s-tests-on-snp.yaml
|
uses: ./.github/workflows/run-k8s-tests-on-snp.yaml
|
||||||
with:
|
with:
|
||||||
registry: ghcr.io
|
registry: ghcr.io
|
||||||
@@ -60,7 +84,7 @@ jobs:
|
|||||||
commit-hash: ${{ inputs.commit-hash }}
|
commit-hash: ${{ inputs.commit-hash }}
|
||||||
|
|
||||||
run-k8s-tests-on-tdx:
|
run-k8s-tests-on-tdx:
|
||||||
needs: publish-kata-deploy-payload-amd64
|
needs: [publish-kata-deploy-payload-amd64, build-and-publish-tee-confidential-unencrypted-image]
|
||||||
uses: ./.github/workflows/run-k8s-tests-on-tdx.yaml
|
uses: ./.github/workflows/run-k8s-tests-on-tdx.yaml
|
||||||
with:
|
with:
|
||||||
registry: ghcr.io
|
registry: ghcr.io
|
||||||
|
|||||||
@@ -0,0 +1,37 @@
|
|||||||
|
# Copyright (c) 2023 Intel Corporatiion
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
# We know that using latest is error prone, we're taking the risk here.
|
||||||
|
# hadolint ignore=DL3007
|
||||||
|
FROM alpine:latest
|
||||||
|
|
||||||
|
# We don't need a specific version of those packages
|
||||||
|
# hadolint ignore=DL3018
|
||||||
|
RUN apk add --no-cache curl openssh-server
|
||||||
|
|
||||||
|
# Download and install `cpuid`, which will be used to detect
|
||||||
|
# whether we're the container is running on a TEE guest
|
||||||
|
# hadolint ignore=DL3059
|
||||||
|
RUN /bin/sh -c \
|
||||||
|
'ARCH=$(uname -m) && \
|
||||||
|
[[ "${ARCH}" == "x86_64" ]] && \
|
||||||
|
curl -LO https://github.com/klauspost/cpuid/releases/download/v2.2.5/cpuid-Linux_x86_64_2.2.5.tar.gz && \
|
||||||
|
tar -xvzf cpuid-Linux_x86_64_2.2.5.tar.gz -C /usr/bin && \
|
||||||
|
rm -rf cpuid-Linux_x86_64_2.2.5.tar.gz && \
|
||||||
|
rm -f /usr/bin/LICENSE'
|
||||||
|
|
||||||
|
# This is done just to avoid the following error starting sshd
|
||||||
|
# `sshd: no hostkeys available -- exiting.`
|
||||||
|
# hadolint ignore=DL3059
|
||||||
|
RUN ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -P ""
|
||||||
|
|
||||||
|
# A password needs to be set for login to work. An empty password is
|
||||||
|
# unproblematic as password-based login to root is not allowed.
|
||||||
|
# hadolint ignore=DL3059
|
||||||
|
RUN passwd -d root
|
||||||
|
|
||||||
|
# Generated with `ssh-keygen -t ed25519 -f unencrypted -P "" -C ""`
|
||||||
|
COPY ssh/unencrypted.pub /root/.ssh/authorized_keys
|
||||||
|
|
||||||
|
ENTRYPOINT ["/usr/sbin/sshd", "-D"]
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||||
|
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
||||||
|
QyNTUxOQAAACD5RDTjWd8c793pKpOUGt+/D+Fa7PMVUQtSudt6R8JMYAAAAIh44GnReOBp
|
||||||
|
0QAAAAtzc2gtZWQyNTUxOQAAACD5RDTjWd8c793pKpOUGt+/D+Fa7PMVUQtSudt6R8JMYA
|
||||||
|
AAAEDwZtSRH/KNwmm/QCMHcif3iMQpGPOr2d12hcQqMY3KJPlENONZ3xzv3ekqk5Qa378P
|
||||||
|
4Vrs8xVRC1K523pHwkxgAAAAAAECAwQF
|
||||||
|
-----END OPENSSH PRIVATE KEY-----
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPlENONZ3xzv3ekqk5Qa378P4Vrs8xVRC1K523pHwkxg
|
||||||
Reference in New Issue
Block a user