From ab5f603ffa24da7f611b4e31101091578b849de1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 8 Aug 2023 11:16:10 +0200 Subject: [PATCH] ci: k8s: Add the image used for unencrypted confidential tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add here the image we'll be using for unencrypted confidential tests. Later on, we'll make sure to build and use this image as part of our CI. The image can easily be built as a multi-arch image, and has `cpuid` installed in case of `x86_64` build, so it can be used to detect whether we're running on a TEE guest without having to rely on `dmesg | grep ...`. Fixes: #7595 Signed-off-by: Fabiano FidĂȘncio --- .../confidential/unencrypted/Dockerfile | 37 +++++++++++++++++++ .../confidential/unencrypted/ssh/unencrypted | 7 ++++ .../unencrypted/ssh/unencrypted.pub | 1 + 3 files changed, 45 insertions(+) create mode 100644 tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile create mode 100644 tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ssh/unencrypted create mode 100644 tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ssh/unencrypted.pub diff --git a/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile b/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile new file mode 100644 index 0000000000..e4db179394 --- /dev/null +++ b/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile @@ -0,0 +1,37 @@ +# Copyright (c) 2023 Intel Corporatiion +# +# SPDX-License-Identifier: Apache-2.0 + +# We know that using latest is error prone, we're taking the risk here. +# hadolint ignore=DL3007 +FROM alpine:latest + +# We don't need a specific version of those packages +# hadolint ignore=DL3018 +RUN apk add --no-cache curl openssh-server + +# Download and install `cpuid`, which will be used to detect +# whether we're the container is running on a TEE guest +# hadolint ignore=DL3059 +RUN /bin/sh -c \ + 'ARCH=$(uname -m) && \ + [[ "${ARCH}" == "x86_64" ]] && \ + curl -LO https://github.com/klauspost/cpuid/releases/download/v2.2.5/cpuid-Linux_x86_64_2.2.5.tar.gz && \ + tar -xvzf cpuid-Linux_x86_64_2.2.5.tar.gz -C /usr/bin && \ + rm -rf cpuid-Linux_x86_64_2.2.5.tar.gz && \ + rm -f /usr/bin/LICENSE' + +# This is done just to avoid the following error starting sshd +# `sshd: no hostkeys available -- exiting.` +# hadolint ignore=DL3059 +RUN ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -P "" + +# A password needs to be set for login to work. An empty password is +# unproblematic as password-based login to root is not allowed. +# hadolint ignore=DL3059 +RUN passwd -d root + +# Generated with `ssh-keygen -t ed25519 -f unencrypted -P "" -C ""` +COPY ssh/unencrypted.pub /root/.ssh/authorized_keys + +ENTRYPOINT ["/usr/sbin/sshd", "-D"] diff --git a/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ssh/unencrypted b/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ssh/unencrypted new file mode 100644 index 0000000000..1f75d37d6e --- /dev/null +++ b/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ssh/unencrypted @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACD5RDTjWd8c793pKpOUGt+/D+Fa7PMVUQtSudt6R8JMYAAAAIh44GnReOBp +0QAAAAtzc2gtZWQyNTUxOQAAACD5RDTjWd8c793pKpOUGt+/D+Fa7PMVUQtSudt6R8JMYA +AAAEDwZtSRH/KNwmm/QCMHcif3iMQpGPOr2d12hcQqMY3KJPlENONZ3xzv3ekqk5Qa378P +4Vrs8xVRC1K523pHwkxgAAAAAAECAwQF +-----END OPENSSH PRIVATE KEY----- diff --git a/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ssh/unencrypted.pub b/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ssh/unencrypted.pub new file mode 100644 index 0000000000..ce3b9ef607 --- /dev/null +++ b/tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ssh/unencrypted.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPlENONZ3xzv3ekqk5Qa378P4Vrs8xVRC1K523pHwkxg