Merge pull request #10244 from BbolroC/turn-on-kbs-qemu-coco-dev-s390x

gha: Turn on KBS for qemu-coco-dev on s390x

.github/workflows/run-k8s-tests-on-zvsi.yaml

@@ -91,6 +91,12 @@ jobs:
         run: echo "SNAPSHOTTER=" >> $GITHUB_ENV
         if: ${{ matrix.snapshotter == 'overlayfs' }}
 
+      - name: Set KBS and KBS_INGRESS if qemu-coco-dev
+        run: |
+          echo "KBS=true" >> $GITHUB_ENV
+          echo "KBS_INGRESS=nodeport" >> $GITHUB_ENV
+        if: ${{ matrix.vmm == 'qemu-coco-dev' }}
+
       - name: Deploy ${{ matrix.k8s }}
         run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
 
@@ -104,6 +110,21 @@ jobs:
         timeout-minutes: 10
         run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-zvsi
 
+      - name: Uninstall previous `kbs-client`
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
+        if: ${{ matrix.vmm == 'qemu-coco-dev' }}
+
+      - name: Deploy CoCo KBS
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
+        if: ${{ matrix.vmm == 'qemu-coco-dev' }}
+
+      - name: Install `kbs-client`
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
+        if: ${{ matrix.vmm == 'qemu-coco-dev' }}
+
       - name: Run tests
         timeout-minutes: 60
         run: bash tests/integration/kubernetes/gha-run.sh run-tests
@@ -111,3 +132,10 @@ jobs:
       - name: Delete kata-deploy
         if: always()
         run: bash tests/integration/kubernetes/gha-run.sh cleanup-zvsi
+
+      - name: Delete CoCo KBS
+        if: always()
+        run: |
+          if [ "${KBS}" == "true" ]; then
+            bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
+          fi

tests/integration/kubernetes/confidential_kbs.sh

@@ -283,8 +283,16 @@ function kbs_k8s_deploy() {
 	echo "somesecret" > overlays/$(uname -m)/key.bin
 
 	# For qemu-se runtime, prepare the necessary resources
-	if [ "${KATA_HYPERVISOR}" == "qemu-se" ]; then
-		prepare_credentials_for_qemu_se
+	if [ "$(uname -m)" == "s390x" ]; then
+		if [ "${KATA_HYPERVISOR}" == "qemu-se" ]; then
+			prepare_credentials_for_qemu_se
+		elif [ "${KATA_HYPERVISOR}" == "qemu-coco-dev" ]; then
+			# Create an empty directory just for deployment
+			export IBM_SE_CREDS_DIR="$(mktemp -d -t ibmse.creds.XXXXXXXXXX)"
+		else
+			echo "ERROR: KBS deployment for ${KATA_HYPERVISOR} is not supported" >&2
+			return 1
+		fi
 		# SE_SKIP_CERTS_VERIFICATION should be set to true
 		# to skip the verification of the certificates
 		sed -i "s/false/true/g" overlays/s390x/patch.yaml