github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-11 12:52:23 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #9613 from fidencio/topic/skip-pull-image-tests-on-tees-part-II

Browse Source 
tests: pull-image: Only skip tests for TEEs
This commit is contained in:
Fabiano Fidêncio 2024-05-18 03:31:38 +02:00 committed by GitHub
commit cbfdc70a55
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 75 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
tests/gha-run-k8s-common.sh
View File

@ -62,7 +62,14 @@ function enable_cluster_http_application_routing() {
} }
function install_azure_cli() { function install_azure_cli() {
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash # This is a workaround for https://github.com/Azure/azure-cli/issues/28984
# which ended up breaking our CI.
curl -sL https://aka.ms/InstallAzureCLIDeb -o installAzureCli.sh
sed -i '/curl -sLS https:\/\/packages.microsoft.com\/keys\/microsoft.asc |/d' installAzureCli.sh
sed -i '/gpg --dearmor -o \/etc\/apt\/keyrings\/microsoft.gpg/d' installAzureCli.sh
sed -i '/chmod go+r \/etc\/apt\/keyrings\/microsoft.gpg/d' installAzureCli.sh
sudo bash installAzureCli.sh
# The aks-preview extension is required while the Mariner Kata host is in preview. # The aks-preview extension is required while the Mariner Kata host is in preview.
az extension add --name aks-preview az extension add --name aks-preview
} }

35
tests/integration/kubernetes/confidential_common.sh
View File

@ -44,7 +44,7 @@ function check_hypervisor_for_confidential_tests() {
local kata_hypervisor="${1}" local kata_hypervisor="${1}"
# This check must be done with "<SPACE>${KATA_HYPERVISOR}<SPACE>" to avoid # This check must be done with "<SPACE>${KATA_HYPERVISOR}<SPACE>" to avoid
# having substrings, like qemu, being matched with qemu-$something. # having substrings, like qemu, being matched with qemu-$something.
if [[ " ${SUPPORTED_TEE_HYPERVISORS[*]} " =~ " ${kata_hypervisor} " ]] ||\ if check_hypervisor_for_confidential_tests_tee_only "${kata_hypervisor}" ||\
[[ " ${SUPPORTED_NON_TEE_HYPERVISORS[*]} " =~ " ${kata_hypervisor} " ]]; then [[ " ${SUPPORTED_NON_TEE_HYPERVISORS[*]} " =~ " ${kata_hypervisor} " ]]; then
return 0 return 0
else else
@ -52,10 +52,33 @@ function check_hypervisor_for_confidential_tests() {
fi fi
} }
# Common setup for confidential tests. # This function verifies whether the input hypervisor supports confidential tests and
function confidential_setup() { # relies on `KATA_HYPERVISOR` being an environment variable
ensure_yq function check_hypervisor_for_confidential_tests_tee_only() {
if ! check_hypervisor_for_confidential_tests "${KATA_HYPERVISOR}"; then local kata_hypervisor="${1}"
return 1 # This check must be done with "<SPACE>${KATA_HYPERVISOR}<SPACE>" to avoid
# having substrings, like qemu, being matched with qemu-$something.
if [[ " ${SUPPORTED_TEE_HYPERVISORS[*]} " =~ " ${kata_hypervisor} " ]]; then
return 0
fi fi
return 1
}
# Common check for confidential tests.
function is_confidential_runtime_class() {
if check_hypervisor_for_confidential_tests "${KATA_HYPERVISOR}"; then
return 0
fi
return 1
}
# Common check for confidential hardware tests.
function is_confidential_hardware() {
if check_hypervisor_for_confidential_tests_tee_only "${KATA_HYPERVISOR}"; then
return 0
fi
return 1
} }

4
tests/integration/kubernetes/k8s-confidential-attestation.bats
View File

@ -15,7 +15,7 @@ export KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}"
export AA_KBC="${AA_KBC:-cc_kbc}" export AA_KBC="${AA_KBC:-cc_kbc}"
setup() { setup() {
confidential_setup || skip "Test not supported for ${KATA_HYPERVISOR}." is_confidential_runtime_class || skip "Test not supported for ${KATA_HYPERVISOR}."
if [ "${KBS}" = "false" ]; then if [ "${KBS}" = "false" ]; then
skip "Test skipped as KBS not setup" skip "Test skipped as KBS not setup"
@ -82,7 +82,7 @@ setup() {
} }
teardown() { teardown() {
check_hypervisor_for_confidential_tests ${KATA_HYPERVISOR} || skip "Test not supported for ${KATA_HYPERVISOR}." is_confidential_runtime_class || skip "Test not supported for ${KATA_HYPERVISOR}."
if [ "${KBS}" = "false" ]; then if [ "${KBS}" = "false" ]; then
skip "Test skipped as KBS not setup" skip "Test skipped as KBS not setup"

8
tests/integration/kubernetes/k8s-confidential.bats
View File

@ -10,7 +10,9 @@ load "${BATS_TEST_DIRNAME}/confidential_common.sh"
load "${BATS_TEST_DIRNAME}/tests_common.sh" load "${BATS_TEST_DIRNAME}/tests_common.sh"
setup() { setup() {
confidential_setup || skip "Test not supported for ${KATA_HYPERVISOR}." if ! is_confidential_hardware; then
skip "Test is supported only on confidential hardware (which ${KATA_HYPERVISOR} is not)"
fi
setup_unencrypted_confidential_pod setup_unencrypted_confidential_pod
} }
@ -41,7 +43,9 @@ setup() {
} }
teardown() { teardown() {
check_hypervisor_for_confidential_tests ${KATA_HYPERVISOR} || skip "Test not supported for ${KATA_HYPERVISOR}." if ! is_confidential_hardware; then
skip "Test is supported only on confidential hardware (which ${KATA_HYPERVISOR} is not)"
fi
kubectl describe "pod/${pod_name}" || true kubectl describe "pod/${pod_name}" || true
kubectl delete -f "${pod_config_dir}/pod-confidential-unencrypted.yaml" || true kubectl delete -f "${pod_config_dir}/pod-confidential-unencrypted.yaml" || true

26
tests/integration/kubernetes/k8s-guest-pull-image.bats
View File

@ -9,7 +9,13 @@ load "${BATS_TEST_DIRNAME}/lib.sh"
load "${BATS_TEST_DIRNAME}/confidential_common.sh" load "${BATS_TEST_DIRNAME}/confidential_common.sh"
setup() { setup() {
confidential_setup && skip "Due to issues related to pull-image integration skip tests for ${KATA_HYPERVISOR}." if is_confidential_hardware; then
skip "Due to issues related to pull-image integration skip tests for ${KATA_HYPERVISOR}."
fi
if ! is_confidential_runtime_class; then
skip "Test not supported for ${KATA_HYPERVISOR}."
fi
[ "${SNAPSHOTTER:-}" = "nydus" ] || skip "None snapshotter was found but this test requires one" [ "${SNAPSHOTTER:-}" = "nydus" ] || skip "None snapshotter was found but this test requires one"
@ -20,7 +26,13 @@ setup() {
} }
@test "Test we can pull an unencrypted image outside the guest with runc and then inside the guest successfully" { @test "Test we can pull an unencrypted image outside the guest with runc and then inside the guest successfully" {
confidential_setup && skip "Due to issues related to pull-image integration skip tests for ${KATA_HYPERVISOR}." if is_confidential_hardware; then
skip "Due to issues related to pull-image integration skip tests for ${KATA_HYPERVISOR}."
fi
if ! is_confidential_runtime_class; then
skip "Test not supported for ${KATA_HYPERVISOR}."
fi
# 1. Create one runc pod with the $unencrypted_image_1 image # 1. Create one runc pod with the $unencrypted_image_1 image
# We want to have one runc pod, so we pass a fake runtimeclass "runc" and then delete the runtimeClassName, # We want to have one runc pod, so we pass a fake runtimeclass "runc" and then delete the runtimeClassName,
@ -104,7 +116,6 @@ setup() {
} }
@test "Test we can pull an unencrypted image inside the guest twice in a row and then outside the guest successfully" { @test "Test we can pull an unencrypted image inside the guest twice in a row and then outside the guest successfully" {
skip "Skip this test until we use containerd 2.0 with 'image pull per runtime class' feature: https://github.com/containerd/containerd/issues/9377"
# 1. Create one kata pod with the $unencrypted_image_1 image and nydus annotation twice # 1. Create one kata pod with the $unencrypted_image_1 image and nydus annotation twice
kata_pod_with_nydus_config="$(new_pod_config "$unencrypted_image_1" "kata-${KATA_HYPERVISOR}")" kata_pod_with_nydus_config="$(new_pod_config "$unencrypted_image_1" "kata-${KATA_HYPERVISOR}")"
set_node "$kata_pod_with_nydus_config" "$node" set_node "$kata_pod_with_nydus_config" "$node"
@ -160,7 +171,6 @@ setup() {
} }
@test "Test we can pull an other unencrypted image outside the guest and then inside the guest successfully" { @test "Test we can pull an other unencrypted image outside the guest and then inside the guest successfully" {
skip "Skip this test until we use containerd 2.0 with 'image pull per runtime class' feature: https://github.com/containerd/containerd/issues/9377"
# 1. Create one kata pod with the $unencrypted_image_2 image and without nydus annotation # 1. Create one kata pod with the $unencrypted_image_2 image and without nydus annotation
kata_pod_without_nydus_config="$(new_pod_config "$unencrypted_image_2" "kata-${KATA_HYPERVISOR}")" kata_pod_without_nydus_config="$(new_pod_config "$unencrypted_image_2" "kata-${KATA_HYPERVISOR}")"
set_node "$kata_pod_without_nydus_config" "$node" set_node "$kata_pod_without_nydus_config" "$node"
@ -216,7 +226,13 @@ setup() {
} }
teardown() { teardown() {
confidential_setup && skip "Due to issues related to pull-image integration skip tests for ${KATA_HYPERVISOR}." if is_confidential_hardware; then
skip "Due to issues related to pull-image integration skip tests for ${KATA_HYPERVISOR}."
fi
if ! is_confidential_runtime_class; then
skip "Test not supported for ${KATA_HYPERVISOR}."
fi
[ "${SNAPSHOTTER:-}" = "nydus" ] || skip "None snapshotter was found but this test requires one" [ "${SNAPSHOTTER:-}" = "nydus" ] || skip "None snapshotter was found but this test requires one"

4
tests/integration/kubernetes/lib.sh
View File

@ -130,8 +130,8 @@ assert_rootfs_count() {
done done
echo "allrootfs is: $allrootfs" echo "allrootfs is: $allrootfs"
count=$(echo $allrootfs | grep -o "rootfs" | wc -l) count=$(echo $allrootfs | grep -o "rootfs" | wc -l)
echo "count of container rootfs in host is: $count, expect count is: $expect_count" echo "count of container rootfs in host is: $count, expect count is less than, or equal to: $expect_count"
[ $expect_count -eq $count ] [ $expect_count -ge $count ]
} }
# Create a pod configuration out of a template file. # Create a pod configuration out of a template file.