ci: k8s: Add the image used for unencrypted confidential tests

Let's add here the image we'll be using for unencrypted confidential tests. Later on, we'll make sure to build and use this image as part of our CI. The image can easily be built as a multi-arch image, and has `cpuid` installed in case of `x86_64` build, so it can be used to detect whether we're running on a TEE guest without having to rely on `dmesg | grep ...`. Fixes: #7595 Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2025-04-29 12:14:48 +00:00 · 2023-08-08 11:16:10 +02:00 · 2023-08-08 11:16:10 +02:00 · ab5f603ffa
commit ab5f603ffa
parent 36d53dd2af
3 changed files with 45 additions and 0 deletions
--- a/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile
+++ b/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile
@ -0,0 +1,37 @@
+# Copyright (c) 2023 Intel Corporatiion
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# We know that using latest is error prone, we're taking the risk here.
+# hadolint ignore=DL3007
+FROM alpine:latest
+
+# We don't need a specific version of those packages
+# hadolint ignore=DL3018
+RUN apk add --no-cache curl openssh-server
+
+# Download and install `cpuid`, which will be used to detect
+# whether we're the container is running on a TEE guest
+# hadolint ignore=DL3059
+RUN /bin/sh -c \
+    'ARCH=$(uname -m) && \
+    [[ "${ARCH}" == "x86_64" ]] && \
+    curl -LO https://github.com/klauspost/cpuid/releases/download/v2.2.5/cpuid-Linux_x86_64_2.2.5.tar.gz && \
+    tar -xvzf cpuid-Linux_x86_64_2.2.5.tar.gz  -C /usr/bin && \
+    rm -rf cpuid-Linux_x86_64_2.2.5.tar.gz && \
+    rm -f /usr/bin/LICENSE'
+
+# This is done just to avoid the following error starting sshd
+# `sshd: no hostkeys available -- exiting.`
+# hadolint ignore=DL3059
+RUN ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -P ""
+
+# A password needs to be set for login to work. An empty password is
+# unproblematic as password-based login to root is not allowed.
+# hadolint ignore=DL3059
+RUN passwd -d root
+
+# Generated with `ssh-keygen -t ed25519 -f unencrypted -P "" -C ""`
+COPY ssh/unencrypted.pub /root/.ssh/authorized_keys
+
+ENTRYPOINT ["/usr/sbin/sshd", "-D"]
--- a/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ssh/unencrypted
+++ b/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ssh/unencrypted
@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACD5RDTjWd8c793pKpOUGt+/D+Fa7PMVUQtSudt6R8JMYAAAAIh44GnReOBp
+0QAAAAtzc2gtZWQyNTUxOQAAACD5RDTjWd8c793pKpOUGt+/D+Fa7PMVUQtSudt6R8JMYA
+AAAEDwZtSRH/KNwmm/QCMHcif3iMQpGPOr2d12hcQqMY3KJPlENONZ3xzv3ekqk5Qa378P
+4Vrs8xVRC1K523pHwkxgAAAAAAECAwQF
+-----END OPENSSH PRIVATE KEY-----
--- a/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ssh/unencrypted.pub
+++ b/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ssh/unencrypted.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPlENONZ3xzv3ekqk5Qa378P4Vrs8xVRC1K523pHwkxg
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPlENONZ3xzv3ekqk5Qa378P4Vrs8xVRC1K523pHwkxg`