From aaf9b54d97db5c32fba917f3d986457a80b83066 Mon Sep 17 00:00:00 2001 From: Gabriela Cervantes Date: Tue, 9 Apr 2024 18:38:40 +0000 Subject: [PATCH 1/3] gha: Add support to install KBS to k8s TDX GHA workflow This PR adds support to install KBS to k8s TDX GHA workflow in order to run confidential attestation tests. Fixes #9451 Signed-off-by: Gabriela Cervantes --- .github/workflows/run-kata-coco-tests.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/run-kata-coco-tests.yaml b/.github/workflows/run-kata-coco-tests.yaml index e43216a0b..bce5408a1 100644 --- a/.github/workflows/run-kata-coco-tests.yaml +++ b/.github/workflows/run-kata-coco-tests.yaml @@ -42,7 +42,9 @@ jobs: KATA_HYPERVISOR: ${{ matrix.vmm }} KUBERNETES: "k3s" USING_NFD: "true" + KBS: "true" K8S_TEST_HOST_TYPE: "baremetal" + KBS_INGRESS: "nodeport" SNAPSHOTTER: ${{ matrix.snapshotter }} PULL_TYPE: ${{ matrix.pull-type }} steps: @@ -65,6 +67,14 @@ jobs: timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-tdx + - name: Deploy CoCo KBS + timeout-minutes: 10 + run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs + + - name: Install `kbs-client` + timeout-minutes: 10 + run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client + - name: Run tests timeout-minutes: 30 run: bash tests/integration/kubernetes/gha-run.sh run-tests @@ -77,6 +87,10 @@ jobs: if: always() run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter + - name: Delete CoCo KBS + if: always() + run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs + run-k8s-tests-on-sev: strategy: fail-fast: false From b54dc2607393286b756512fc5c0f7ff7e6bddb9a Mon Sep 17 00:00:00 2001 From: Gabriela Cervantes Date: Mon, 6 May 2024 15:55:24 +0000 Subject: [PATCH 2/3] gha: Enable uninstall kbs client function for coco gha workflow This PR enables the uninstall kbs client function for coco gha tdx workflow. Signed-off-by: Gabriela Cervantes --- .github/workflows/run-kata-coco-tests.yaml | 4 ++++ tests/integration/kubernetes/gha-run.sh | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/.github/workflows/run-kata-coco-tests.yaml b/.github/workflows/run-kata-coco-tests.yaml index bce5408a1..d2280ef54 100644 --- a/.github/workflows/run-kata-coco-tests.yaml +++ b/.github/workflows/run-kata-coco-tests.yaml @@ -67,6 +67,10 @@ jobs: timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-tdx + - name: Uninstall previous `kbs-client` + timeout-minutes: 10 + run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client + - name: Deploy CoCo KBS timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh index 1e859becf..9f8192ea6 100755 --- a/tests/integration/kubernetes/gha-run.sh +++ b/tests/integration/kubernetes/gha-run.sh @@ -266,6 +266,10 @@ function install_kbs_client() { kbs_install_cli } +function uninstall_kbs_client() { + kbs_uninstall_cli +} + function run_tests() { ensure_yq platform="${1:-}" @@ -594,6 +598,7 @@ function main() { delete-coco-kbs) delete_coco_kbs ;; delete-cluster) cleanup "aks" ;; delete-cluster-kcli) delete_cluster_kcli ;; + uninstall-kbs-client) uninstall_kbs_client ;; *) >&2 echo "Invalid argument"; exit 2 ;; esac } From cfdef7ed5f5983e10f486a68d683c9a133d56b01 Mon Sep 17 00:00:00 2001 From: Gabriela Cervantes Date: Mon, 20 May 2024 16:58:41 +0000 Subject: [PATCH 3/3] tests/k8s: Use custom intel DCAP configuration This PR adds the use of custom Intel DCAP configuration when deploying the KBS. Signed-off-by: Gabriela Cervantes --- .../kubernetes/confidential_kbs.sh | 12 ++++++++ tests/integration/kubernetes/gha-run.sh | 28 ++++++++++++++++--- 2 files changed, 36 insertions(+), 4 deletions(-) diff --git a/tests/integration/kubernetes/confidential_kbs.sh b/tests/integration/kubernetes/confidential_kbs.sh index c09a05cf5..7444a8732 100644 --- a/tests/integration/kubernetes/confidential_kbs.sh +++ b/tests/integration/kubernetes/confidential_kbs.sh @@ -13,6 +13,7 @@ source "${kubernetes_dir}/../../gha-run-k8s-common.sh" # shellcheck disable=1091 source "${kubernetes_dir}/../../../ci/lib.sh" +KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}" # Where the trustee (includes kbs) sources will be cloned readonly COCO_TRUSTEE_DIR="/tmp/trustee" # Where the kbs sources will be cloned @@ -232,6 +233,17 @@ function kbs_k8s_deploy() { [ -n "$ingress" ] && _handle_ingress "$ingress" echo "::group::Deploy the KBS" + if [ "${KATA_HYPERVISOR}" = "qemu-tdx" ]; then + cat <<- EOF > "${COCO_KBS_DIR}/config/kubernetes/custom_pccs/sgx_default_qcnl.conf" +{ + "pccs_url": "https://localhost:8081/sgx/certification/v4/", + + // To accept insecure HTTPS certificate, set this option to false + "use_secure_cert": false +} +EOF + export DEPLOYMENT_DIR=custom_pccs + fi ./deploy-kbs.sh popd diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh index 9f8192ea6..f33a141cb 100755 --- a/tests/integration/kubernetes/gha-run.sh +++ b/tests/integration/kubernetes/gha-run.sh @@ -131,7 +131,12 @@ function configure_snapshotter() { } function delete_coco_kbs() { - kbs_k8s_delete + if [ "${KATA_HYPERVISOR}" == "qemu-tdx" ]; then + echo "Skipping deleting coco kbs for ${KATA_HYPERVISOR}" + exit 0 + else + kbs_k8s_delete + fi } # Deploy the CoCo KBS in Kubernetes @@ -141,7 +146,12 @@ function delete_coco_kbs() { # service externally # function deploy_coco_kbs() { - kbs_k8s_deploy "$KBS_INGRESS" + if [ "${KATA_HYPERVISOR}" == "qemu-tdx" ]; then + echo "Skipping deploying coco kbs for ${KATA_HYPERVISOR}" + exit 0 + else + kbs_k8s_deploy "$KBS_INGRESS" + fi } function deploy_kata() { @@ -263,11 +273,21 @@ function deploy_kata() { } function install_kbs_client() { - kbs_install_cli + if [ "${KATA_HYPERVISOR}" == "qemu-tdx" ]; then + echo "Skipping install kbs client for ${KATA_HYPERVISOR}" + exit 0 + else + kbs_install_cli + fi } function uninstall_kbs_client() { - kbs_uninstall_cli + if [ "${KATA_HYPERVISOR}" == "qemu-tdx" ]; then + echo "Skipping uninstall kbs client for ${KATA_HYPERVISOR}" + exit 0 + else + kbs_uninstall_cli + fi } function run_tests() {