Merge pull request #9452 from GabyCT/topic/tdxcoco

gha: Add support to install KBS to k8s TDX GHA workflow

.github/workflows/run-kata-coco-tests.yaml

@@ -42,7 +42,9 @@ jobs:
       KATA_HYPERVISOR: ${{ matrix.vmm }}
       KUBERNETES: "k3s"
       USING_NFD: "true"
+      KBS: "true"
       K8S_TEST_HOST_TYPE: "baremetal"
+      KBS_INGRESS: "nodeport"
       SNAPSHOTTER: ${{ matrix.snapshotter }}
       PULL_TYPE: ${{ matrix.pull-type }}
     steps:
@@ -65,6 +67,18 @@ jobs:
         timeout-minutes: 10
         run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-tdx
 
+      - name: Uninstall previous `kbs-client`
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
+
+      - name: Deploy CoCo KBS
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
+
+      - name: Install `kbs-client`
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
+
       - name: Run tests
         timeout-minutes: 30
         run: bash tests/integration/kubernetes/gha-run.sh run-tests
@@ -77,6 +91,10 @@ jobs:
         if: always()
         run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
 
+      - name: Delete CoCo KBS
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
+
   run-k8s-tests-on-sev:
     strategy:
       fail-fast: false

tests/integration/kubernetes/confidential_kbs.sh

@@ -13,6 +13,7 @@ source "${kubernetes_dir}/../../gha-run-k8s-common.sh"
 # shellcheck disable=1091
 source "${kubernetes_dir}/../../../ci/lib.sh"
 
+KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}"
 # Where the trustee (includes kbs) sources will be cloned
 readonly COCO_TRUSTEE_DIR="/tmp/trustee"
 # Where the kbs sources will be cloned
@@ -232,6 +233,17 @@ function kbs_k8s_deploy() {
 	[ -n "$ingress" ] && _handle_ingress "$ingress"
 
 	echo "::group::Deploy the KBS"
+	if [ "${KATA_HYPERVISOR}" = "qemu-tdx" ]; then
+		cat <<- EOF > "${COCO_KBS_DIR}/config/kubernetes/custom_pccs/sgx_default_qcnl.conf"
+{
+ "pccs_url": "https://localhost:8081/sgx/certification/v4/",
+
+ // To accept insecure HTTPS certificate, set this option to false
+ "use_secure_cert": false
+}
+EOF
+		export DEPLOYMENT_DIR=custom_pccs
+	fi
 	./deploy-kbs.sh
 	popd
 

tests/integration/kubernetes/gha-run.sh

@@ -131,7 +131,12 @@ function configure_snapshotter() {
 }
 
 function delete_coco_kbs() {
-	kbs_k8s_delete
+	if [ "${KATA_HYPERVISOR}" == "qemu-tdx" ]; then
+		echo "Skipping deleting coco kbs for ${KATA_HYPERVISOR}"
+		exit 0
+	else
+		kbs_k8s_delete
+	fi
 }
 
 # Deploy the CoCo KBS in Kubernetes
@@ -141,7 +146,12 @@ function delete_coco_kbs() {
 #	              service externally
 #
 function deploy_coco_kbs() {
-	kbs_k8s_deploy "$KBS_INGRESS"
+	if [ "${KATA_HYPERVISOR}" == "qemu-tdx" ]; then
+		echo "Skipping deploying coco kbs for ${KATA_HYPERVISOR}"
+		exit 0
+	else
+		kbs_k8s_deploy "$KBS_INGRESS"
+	fi
 }
 
 function deploy_kata() {
@@ -263,7 +273,21 @@ function deploy_kata() {
 }
 
 function install_kbs_client() {
-	kbs_install_cli
+	if [ "${KATA_HYPERVISOR}" == "qemu-tdx" ]; then
+		echo "Skipping install kbs client for ${KATA_HYPERVISOR}"
+		exit 0
+	else
+		kbs_install_cli
+	fi
+}
+
+function uninstall_kbs_client() {
+	if [ "${KATA_HYPERVISOR}" == "qemu-tdx" ]; then
+		echo "Skipping uninstall kbs client for ${KATA_HYPERVISOR}"
+		exit 0
+	else
+		kbs_uninstall_cli
+	fi
 }
 
 function run_tests() {
@@ -594,6 +618,7 @@ function main() {
 		delete-coco-kbs) delete_coco_kbs ;;
 		delete-cluster) cleanup "aks" ;;
 		delete-cluster-kcli) delete_cluster_kcli ;;
+		uninstall-kbs-client) uninstall_kbs_client ;;
 		*) >&2 echo "Invalid argument"; exit 2 ;;
 	esac
 }