mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-08-11 12:52:23 +00:00
tests/k8s: update kbs repository
Recently confidential-containers/kbs repository was renamed to confidential-containers/trustee. Github will automatically resolve the old URL but we better adjust it in code. The trustee repository will be cloned to $COCO_TRUSTEE_DIR. Adjusted file paths and pushd/popd's to use $COCO_KBS_DIR ($COCO_TRUSTEE_DIR/kbs). On versions.yaml changed from `coco-kbs` to `coco-trustee` as in the future we might need other trustee components, so keeping it generic. Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
This commit is contained in:
Wainer dos Santos Moschetta
stevenhorsman
parent
c669567cd3
commit
8ea9ac515e
@ -17,12 +17,14 @@ source "${kubernetes_dir}/../../gha-run-k8s-common.sh"
|
|||||||
# shellcheck disable=1091
|
# shellcheck disable=1091
|
||||||
source "${kubernetes_dir}/../../../ci/lib.sh"
|
source "${kubernetes_dir}/../../../ci/lib.sh"
|
||||||
|
|
||||||
|
# Where the trustee (includes kbs) sources will be cloned
|
||||||
|
readonly COCO_TRUSTEE_DIR="/tmp/trustee"
|
||||||
# Where the kbs sources will be cloned
|
# Where the kbs sources will be cloned
|
||||||
readonly COCO_KBS_DIR="/tmp/kbs"
|
readonly COCO_KBS_DIR="${COCO_TRUSTEE_DIR}/kbs"
|
||||||
# The k8s namespace where the kbs service is deployed
|
# The k8s namespace where the kbs service is deployed
|
||||||
readonly KBS_NS="coco-tenant"
|
readonly KBS_NS="coco-tenant"
|
||||||
# The private key file used for CLI authentication
|
# The private key file used for CLI authentication
|
||||||
readonly KBS_PRIVATE_KEY="${COCO_KBS_DIR}/kbs/config/kubernetes/base/kbs.key"
|
readonly KBS_PRIVATE_KEY="${COCO_KBS_DIR}/config/kubernetes/base/kbs.key"
|
||||||
# The kbs service name
|
# The kbs service name
|
||||||
readonly KBS_SVC_NAME="kbs"
|
readonly KBS_SVC_NAME="kbs"
|
||||||
|
|
||||||
@ -30,14 +32,14 @@ readonly KBS_SVC_NAME="kbs"
|
|||||||
#
|
#
|
||||||
kbs_set_allow_all_resources() {
|
kbs_set_allow_all_resources() {
|
||||||
kbs_set_resources_policy \
|
kbs_set_resources_policy \
|
||||||
"${COCO_KBS_DIR}/kbs/sample_policies/allow_all.rego"
|
"${COCO_KBS_DIR}/sample_policies/allow_all.rego"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Set "deny all" policy to resources.
|
# Set "deny all" policy to resources.
|
||||||
#
|
#
|
||||||
kbs_set_deny_all_resources() {
|
kbs_set_deny_all_resources() {
|
||||||
kbs_set_resources_policy \
|
kbs_set_resources_policy \
|
||||||
"${COCO_KBS_DIR}/kbs/sample_policies/deny_all.rego"
|
"${COCO_KBS_DIR}/sample_policies/deny_all.rego"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Set resources policy.
|
# Set resources policy.
|
||||||
@ -146,7 +148,7 @@ kbs_install_cli() {
|
|||||||
# the required version.
|
# the required version.
|
||||||
_ensure_rust "$rust_version"
|
_ensure_rust "$rust_version"
|
||||||
|
|
||||||
pushd "${COCO_KBS_DIR}/kbs"
|
pushd "${COCO_KBS_DIR}"
|
||||||
# Compile with sample features to bypass attestation.
|
# Compile with sample features to bypass attestation.
|
||||||
make CLI_FEATURES=sample_only cli
|
make CLI_FEATURES=sample_only cli
|
||||||
sudo make install-cli
|
sudo make install-cli
|
||||||
@ -155,11 +157,11 @@ kbs_install_cli() {
|
|||||||
|
|
||||||
# Delete the kbs on Kubernetes
|
# Delete the kbs on Kubernetes
|
||||||
#
|
#
|
||||||
# Note: assume the kbs sources were cloned to $COCO_KBS_DIR
|
# Note: assume the kbs sources were cloned to $COCO_TRUSTEE_DIR
|
||||||
#
|
#
|
||||||
function kbs_k8s_delete() {
|
function kbs_k8s_delete() {
|
||||||
pushd "$COCO_KBS_DIR"
|
pushd "$COCO_KBS_DIR"
|
||||||
kubectl delete -k kbs/config/kubernetes/overlays
|
kubectl delete -k config/kubernetes/overlays
|
||||||
popd
|
popd
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -183,10 +185,10 @@ function kbs_k8s_deploy() {
|
|||||||
ensure_yq
|
ensure_yq
|
||||||
|
|
||||||
# Read from versions.yaml
|
# Read from versions.yaml
|
||||||
repo=$(get_from_kata_deps "externals.coco-kbs.url")
|
repo=$(get_from_kata_deps "externals.coco-trustee.url")
|
||||||
version=$(get_from_kata_deps "externals.coco-kbs.version")
|
version=$(get_from_kata_deps "externals.coco-trustee.version")
|
||||||
image=$(get_from_kata_deps "externals.coco-kbs.image")
|
image=$(get_from_kata_deps "externals.coco-trustee.image")
|
||||||
image_tag=$(get_from_kata_deps "externals.coco-kbs.image_tag")
|
image_tag=$(get_from_kata_deps "externals.coco-trustee.image_tag")
|
||||||
|
|
||||||
# The ingress handler for AKS relies on the cluster's name which in turn
|
# The ingress handler for AKS relies on the cluster's name which in turn
|
||||||
# contain the HEAD commit of the kata-containers repository (supposedly the
|
# contain the HEAD commit of the kata-containers repository (supposedly the
|
||||||
@ -197,18 +199,19 @@ function kbs_k8s_deploy() {
|
|||||||
export AKS_NAME
|
export AKS_NAME
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -d "$COCO_KBS_DIR" ]; then
|
if [ -d "$COCO_TRUSTEE_DIR" ]; then
|
||||||
rm -rf "$COCO_KBS_DIR"
|
rm -rf "$COCO_TRUSTEE_DIR"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "::group::Clone the kbs sources"
|
echo "::group::Clone the kbs sources"
|
||||||
git clone --depth 1 "${repo}" "$COCO_KBS_DIR"
|
git clone --depth 1 "${repo}" "$COCO_TRUSTEE_DIR"
|
||||||
pushd "$COCO_KBS_DIR"
|
pushd "$COCO_TRUSTEE_DIR"
|
||||||
git fetch --depth=1 origin "${version}"
|
git fetch --depth=1 origin "${version}"
|
||||||
git checkout FETCH_HEAD -b kbs_$$
|
git checkout FETCH_HEAD -b kbs_$$
|
||||||
|
popd
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
|
||||||
pushd kbs/config/kubernetes/
|
pushd "${COCO_KBS_DIR}/config/kubernetes/"
|
||||||
|
|
||||||
# Tests should fill kbs resources later, however, the deployment
|
# Tests should fill kbs resources later, however, the deployment
|
||||||
# expects at least one secret served at install time.
|
# expects at least one secret served at install time.
|
||||||
@ -226,7 +229,6 @@ function kbs_k8s_deploy() {
|
|||||||
echo "::group::Deploy the KBS"
|
echo "::group::Deploy the KBS"
|
||||||
./deploy-kbs.sh
|
./deploy-kbs.sh
|
||||||
popd
|
popd
|
||||||
popd
|
|
||||||
|
|
||||||
if ! waitForProcess "120" "10" "kubectl -n \"$KBS_NS\" get pods | \
|
if ! waitForProcess "120" "10" "kubectl -n \"$KBS_NS\" get pods | \
|
||||||
grep -q '^kbs-.*Running.*'"; then
|
grep -q '^kbs-.*Running.*'"; then
|
||||||
@ -394,7 +396,7 @@ _handle_ingress_aks() {
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
pushd "$COCO_KBS_DIR/kbs/config/kubernetes/overlays"
|
pushd "${COCO_KBS_DIR}/config/kubernetes/overlays"
|
||||||
|
|
||||||
echo "::group::$(pwd)/ingress.yaml"
|
echo "::group::$(pwd)/ingress.yaml"
|
||||||
KBS_INGRESS_CLASS="addon-http-application-routing" \
|
KBS_INGRESS_CLASS="addon-http-application-routing" \
|
||||||
|
|||||||
@ -199,9 +199,9 @@ externals:
|
|||||||
version: "42b7c9687ecd0907ef70da31cf290a60ee8432cd"
|
version: "42b7c9687ecd0907ef70da31cf290a60ee8432cd"
|
||||||
toolchain: "1.72.0"
|
toolchain: "1.72.0"
|
||||||
|
|
||||||
coco-kbs:
|
coco-trustee:
|
||||||
description: "Provides attestation and secret Management services"
|
description: "Provides attestation and secret delivery components"
|
||||||
url: "https://github.com/confidential-containers/kbs"
|
url: "https://github.com/confidential-containers/trustee"
|
||||||
version: "18c8ee378c6d83446ee635a702d5dee389028d8f"
|
version: "18c8ee378c6d83446ee635a702d5dee389028d8f"
|
||||||
image: "ghcr.io/confidential-containers/staged-images/kbs"
|
image: "ghcr.io/confidential-containers/staged-images/kbs"
|
||||||
image_tag: "18c8ee378c6d83446ee635a702d5dee389028d8f"
|
image_tag: "18c8ee378c6d83446ee635a702d5dee389028d8f"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user