github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-25 11:13:15 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #9424 from wainersm/cc_guest_pull-encrypted

Browse Source 
CC: run guest-pull tests on non-TEE jobs
This commit is contained in:
Wainer Moschetta 2024-04-12 09:34:35 -03:00 committed by GitHub
commit a0b21d0e14
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 95 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
.github/workflows/run-kata-coco-tests.yaml vendored
View File

@ -186,3 +186,78 @@ jobs:
- name: Delete Snapshotter - name: Delete Snapshotter
if: always() if: always()
run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
# Generate jobs for testing CoCo on non-TEE environments
run-k8s-tests-coco-nontee:
strategy:
fail-fast: false
matrix:
vmm:
- qemu
snapshotter:
- nydus
pull-type:
- guest-pull
runs-on: ubuntu-latest
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}
DOCKER_TAG: ${{ inputs.tag }}
GH_PR_NUMBER: ${{ inputs.pr-number }}
KATA_HOST_OS: ${{ matrix.host_os }}
KATA_HYPERVISOR: ${{ matrix.vmm }}
KUBERNETES: "vanilla"
PULL_TYPE: ${{ matrix.pull-type }}
SNAPSHOTTER: ${{ matrix.snapshotter }}
USING_NFD: "false"
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Download Azure CLI
run: bash tests/integration/kubernetes/gha-run.sh install-azure-cli
- name: Log into the Azure account
run: bash tests/integration/kubernetes/gha-run.sh login-azure
env:
AZ_APPID: ${{ secrets.AZ_APPID }}
AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }}
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
- name: Create AKS cluster
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh create-cluster
- name: Install `bats`
run: bash tests/integration/kubernetes/gha-run.sh install-bats
- name: Install `kubectl`
run: bash tests/integration/kubernetes/gha-run.sh install-kubectl
- name: Download credentials for the Kubernetes CLI to use them
run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials
- name: Deploy Snapshotter
timeout-minutes: 5
run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
- name: Deploy Kata
timeout-minutes: 10
run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks
- name: Run tests
timeout-minutes: 60
run: bash tests/integration/kubernetes/gha-run.sh run-tests
- name: Delete AKS cluster
if: always()
run: bash tests/integration/kubernetes/gha-run.sh delete-cluster

1
tests/gha-run-k8s-common.sh
View File

@ -146,6 +146,7 @@ function get_cluster_credentials() {
test_type="${1:-k8s}" test_type="${1:-k8s}"
az aks get-credentials \ az aks get-credentials \
--overwrite-existing \
-g "$(_print_rg_name ${test_type})" \ -g "$(_print_rg_name ${test_type})" \
-n "$(_print_cluster_name ${test_type})" -n "$(_print_cluster_name ${test_type})"
} }

22
tests/integration/kubernetes/k8s-guest-pull-image.bats
View File

@ -10,6 +10,8 @@ load "${BATS_TEST_DIRNAME}/confidential_common.sh"
setup() { setup() {
confidential_setup || skip "Test not supported for ${KATA_HYPERVISOR}." confidential_setup || skip "Test not supported for ${KATA_HYPERVISOR}."
[ "${SNAPSHOTTER:-}" = "nydus" ] || skip "None snapshotter was found but this test requires one"
setup_common setup_common
unencrypted_image_1="quay.io/sjenning/nginx:1.15-alpine" unencrypted_image_1="quay.io/sjenning/nginx:1.15-alpine"
unencrypted_image_2="quay.io/prometheus/busybox:latest" unencrypted_image_2="quay.io/prometheus/busybox:latest"
@ -17,7 +19,6 @@ setup() {
} }
@test "Test we can pull an unencrypted image outside the guest with runc and then inside the guest successfully" { @test "Test we can pull an unencrypted image outside the guest with runc and then inside the guest successfully" {
[[ " ${SUPPORTED_NON_TEE_HYPERVISORS} " =~ " ${KATA_HYPERVISOR} " ]] && skip "Test not supported for ${KATA_HYPERVISOR}."
# 1. Create one runc pod with the $unencrypted_image_1 image # 1. Create one runc pod with the $unencrypted_image_1 image
# We want to have one runc pod, so we pass a fake runtimeclass "runc" and then delete the runtimeClassName, # We want to have one runc pod, so we pass a fake runtimeclass "runc" and then delete the runtimeClassName,
# because the runtimeclass is not optional in new_pod_config function. # because the runtimeclass is not optional in new_pod_config function.
@ -46,6 +47,11 @@ setup() {
"io.containerd.cri.runtime-handler" \ "io.containerd.cri.runtime-handler" \
"kata-${KATA_HYPERVISOR}" "kata-${KATA_HYPERVISOR}"
[[ " ${SUPPORTED_NON_TEE_HYPERVISORS} " =~ " ${KATA_HYPERVISOR} " ]] && \
set_metadata_annotation "$kata_pod_with_nydus_config" \
"io.katacontainers.config.hypervisor.image" \
"/opt/kata/share/kata-containers/kata-containers-confidential.img"
# For debug sake # For debug sake
echo "Pod $kata_pod_with_nydus_config file:" echo "Pod $kata_pod_with_nydus_config file:"
cat $kata_pod_with_nydus_config cat $kata_pod_with_nydus_config
@ -100,7 +106,6 @@ setup() {
} }
@test "Test we can pull an unencrypted image inside the guest twice in a row and then outside the guest successfully" { @test "Test we can pull an unencrypted image inside the guest twice in a row and then outside the guest successfully" {
[[ " ${SUPPORTED_NON_TEE_HYPERVISORS} " =~ " ${KATA_HYPERVISOR} " ]] && skip "Test not supported for ${KATA_HYPERVISOR}."
skip "Skip this test until we use containerd 2.0 with 'image pull per runtime class' feature: https://github.com/containerd/containerd/issues/9377" skip "Skip this test until we use containerd 2.0 with 'image pull per runtime class' feature: https://github.com/containerd/containerd/issues/9377"
# 1. Create one kata pod with the $unencrypted_image_1 image and nydus annotation twice # 1. Create one kata pod with the $unencrypted_image_1 image and nydus annotation twice
kata_pod_with_nydus_config="$(new_pod_config "$unencrypted_image_1" "kata-${KATA_HYPERVISOR}")" kata_pod_with_nydus_config="$(new_pod_config "$unencrypted_image_1" "kata-${KATA_HYPERVISOR}")"
@ -112,6 +117,11 @@ setup() {
"io.containerd.cri.runtime-handler" \ "io.containerd.cri.runtime-handler" \
"kata-${KATA_HYPERVISOR}" "kata-${KATA_HYPERVISOR}"
[[ " ${SUPPORTED_NON_TEE_HYPERVISORS} " =~ " ${KATA_HYPERVISOR} " ]] && \
set_metadata_annotation "$kata_pod_with_nydus_config" \
"io.katacontainers.config.hypervisor.image" \
"/opt/kata/share/kata-containers/kata-containers-confidential.img"
# For debug sake # For debug sake
echo "Pod $kata_pod_with_nydus_config file:" echo "Pod $kata_pod_with_nydus_config file:"
cat $kata_pod_with_nydus_config cat $kata_pod_with_nydus_config
@ -157,7 +167,6 @@ setup() {
} }
@test "Test we can pull an other unencrypted image outside the guest and then inside the guest successfully" { @test "Test we can pull an other unencrypted image outside the guest and then inside the guest successfully" {
[[ " ${SUPPORTED_NON_TEE_HYPERVISORS} " =~ " ${KATA_HYPERVISOR} " ]] && skip "Test not supported for ${KATA_HYPERVISOR}."
skip "Skip this test until we use containerd 2.0 with 'image pull per runtime class' feature: https://github.com/containerd/containerd/issues/9377" skip "Skip this test until we use containerd 2.0 with 'image pull per runtime class' feature: https://github.com/containerd/containerd/issues/9377"
# 1. Create one kata pod with the $unencrypted_image_2 image and without nydus annotation # 1. Create one kata pod with the $unencrypted_image_2 image and without nydus annotation
kata_pod_without_nydus_config="$(new_pod_config "$unencrypted_image_2" "kata-${KATA_HYPERVISOR}")" kata_pod_without_nydus_config="$(new_pod_config "$unencrypted_image_2" "kata-${KATA_HYPERVISOR}")"
@ -191,6 +200,11 @@ setup() {
"io.containerd.cri.runtime-handler" \ "io.containerd.cri.runtime-handler" \
"kata-${KATA_HYPERVISOR}" "kata-${KATA_HYPERVISOR}"
[[ " ${SUPPORTED_NON_TEE_HYPERVISORS} " =~ " ${KATA_HYPERVISOR} " ]] && \
set_metadata_annotation "$kata_pod_with_nydus_config" \
"io.katacontainers.config.hypervisor.image" \
"/opt/kata/share/kata-containers/kata-containers-confidential.img"
# For debug sake # For debug sake
echo "Pod $kata_pod_with_nydus_config file:" echo "Pod $kata_pod_with_nydus_config file:"
cat $kata_pod_with_nydus_config cat $kata_pod_with_nydus_config
@ -215,6 +229,8 @@ setup() {
teardown() { teardown() {
check_hypervisor_for_confidential_tests ${KATA_HYPERVISOR} || skip "Test not supported for ${KATA_HYPERVISOR}." check_hypervisor_for_confidential_tests ${KATA_HYPERVISOR} || skip "Test not supported for ${KATA_HYPERVISOR}."
[ "${SNAPSHOTTER:-}" = "nydus" ] || skip "None snapshotter was found but this test requires one"
kubectl describe pod "$pod_name" kubectl describe pod "$pod_name"
k8s_delete_all_pods_if_any_exists || true k8s_delete_all_pods_if_any_exists || true
} }