From b0a912b8b44235127277654a203fb1c51201d7bc Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Tue, 3 Sep 2024 15:51:18 +0200 Subject: [PATCH 1/2] tests: Enable KBS deployment for qemu-coco-dev on s390x To deploy KBS on s390x, the environment variable `IBM_SE_CREDS_DIR` must be exported, and the corresponding directory must be created. This commit enables KBS deployment for `qemu-coco-dev`, in addition to the existing `qemu-se` support on the platform. Signed-off-by: Hyounggyu Choi --- tests/integration/kubernetes/confidential_kbs.sh | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/tests/integration/kubernetes/confidential_kbs.sh b/tests/integration/kubernetes/confidential_kbs.sh index bf6994e39c..916800a172 100644 --- a/tests/integration/kubernetes/confidential_kbs.sh +++ b/tests/integration/kubernetes/confidential_kbs.sh @@ -283,8 +283,16 @@ function kbs_k8s_deploy() { echo "somesecret" > overlays/$(uname -m)/key.bin # For qemu-se runtime, prepare the necessary resources - if [ "${KATA_HYPERVISOR}" == "qemu-se" ]; then - prepare_credentials_for_qemu_se + if [ "$(uname -m)" == "s390x" ]; then + if [ "${KATA_HYPERVISOR}" == "qemu-se" ]; then + prepare_credentials_for_qemu_se + elif [ "${KATA_HYPERVISOR}" == "qemu-coco-dev" ]; then + # Create an empty directory just for deployment + export IBM_SE_CREDS_DIR="$(mktemp -d -t ibmse.creds.XXXXXXXXXX)" + else + echo "ERROR: KBS deployment for ${KATA_HYPERVISOR} is not supported" >&2 + return 1 + fi # SE_SKIP_CERTS_VERIFICATION should be set to true # to skip the verification of the certificates sed -i "s/false/true/g" overlays/s390x/patch.yaml From 1cefa4804746f27fa96bd4c4549f03d368e4bb05 Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Tue, 3 Sep 2024 15:58:13 +0200 Subject: [PATCH 2/2] gha: Add necessary steps for KBS enablement The following steps are required for enabling KBS: - Set environment variables `KBS` and `KBS_INGRESS` - Uninstall and install `kbs-client` - Deploy KBS This commit adds the above stpes to the existing workflow for `qemu-coco-dev`. Signed-off-by: Hyounggyu Choi --- .github/workflows/run-k8s-tests-on-zvsi.yaml | 28 ++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/.github/workflows/run-k8s-tests-on-zvsi.yaml b/.github/workflows/run-k8s-tests-on-zvsi.yaml index 2bdb36e141..10928bb8dc 100644 --- a/.github/workflows/run-k8s-tests-on-zvsi.yaml +++ b/.github/workflows/run-k8s-tests-on-zvsi.yaml @@ -91,6 +91,12 @@ jobs: run: echo "SNAPSHOTTER=" >> $GITHUB_ENV if: ${{ matrix.snapshotter == 'overlayfs' }} + - name: Set KBS and KBS_INGRESS if qemu-coco-dev + run: | + echo "KBS=true" >> $GITHUB_ENV + echo "KBS_INGRESS=nodeport" >> $GITHUB_ENV + if: ${{ matrix.vmm == 'qemu-coco-dev' }} + - name: Deploy ${{ matrix.k8s }} run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s @@ -104,6 +110,21 @@ jobs: timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-zvsi + - name: Uninstall previous `kbs-client` + timeout-minutes: 10 + run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client + if: ${{ matrix.vmm == 'qemu-coco-dev' }} + + - name: Deploy CoCo KBS + timeout-minutes: 10 + run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs + if: ${{ matrix.vmm == 'qemu-coco-dev' }} + + - name: Install `kbs-client` + timeout-minutes: 10 + run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client + if: ${{ matrix.vmm == 'qemu-coco-dev' }} + - name: Run tests timeout-minutes: 60 run: bash tests/integration/kubernetes/gha-run.sh run-tests @@ -111,3 +132,10 @@ jobs: - name: Delete kata-deploy if: always() run: bash tests/integration/kubernetes/gha-run.sh cleanup-zvsi + + - name: Delete CoCo KBS + if: always() + run: | + if [ "${KBS}" == "true" ]; then + bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs + fi