Merge pull request #11081 from BbolroC/unsealed-secret-fix

tests: Enable sealed secrets for all TEEs
2025-04-27 11:31:05 +00:00 · 2025-03-31 11:19:52 -04:00 · 2025-03-31 11:19:52 -04:00 · e5c4cfb8a1
commit e5c4cfb8a1
parent abbc9c6b50 0aa76f7206
3 changed files with 59 additions and 33 deletions
--- a/src/agent/src/rpc.rs
+++ b/src/agent/src/rpc.rs
@ -241,7 +241,11 @@ impl AgentService {
        // readonly
        handle_cdi_devices(&sl(), &mut oci, "/var/run/cdi", AGENT_CONFIG.cdi_timeout).await?;

-        cdh_handler(&mut oci).await?;
+        // Handle trusted storage configuration before mounting any storage
+        #[cfg(feature = "guest-pull")]
+        cdh_handler_trusted_storage(&mut oci)
+            .await
+            .map_err(|e| anyhow!("failed to handle trusted storage: {}", e))?;

        // Both rootfs and volumes (invoked with --volume for instance) will
        // be processed the same way. The idea is to always mount any provided
@ -258,6 +262,11 @@ impl AgentService {
        )
        .await?;

+        // Handle sealed secrets after storage is mounted
+        cdh_handler_sealed_secrets(&mut oci)
+            .await
+            .map_err(|e| anyhow!("failed to handle sealed secrets: {}", e))?;
+
        let mut s = self.sandbox.lock().await;
        s.container_mounts.insert(cid.clone(), m);

@ -2234,7 +2243,42 @@ fn is_sealed_secret_path(source_path: &str) -> bool {
            .any(|suffix| source_path.ends_with(suffix))
 }

-async fn cdh_handler(oci: &mut Spec) -> Result<()> {
+#[cfg(feature = "guest-pull")]
+async fn cdh_handler_trusted_storage(oci: &mut Spec) -> Result<()> {
+    if !cdh::is_cdh_client_initialized().await {
+        return Ok(());
+    }
+    let linux = oci
+        .linux()
+        .as_ref()
+        .ok_or_else(|| anyhow!("Spec didn't contain linux field"))?;
+
+    if let Some(devices) = linux.devices() {
+        for specdev in devices.iter() {
+            if specdev.path().as_path().to_str() == Some(TRUSTED_IMAGE_STORAGE_DEVICE) {
+                let dev_major_minor = format!("{}:{}", specdev.major(), specdev.minor());
+                let secure_storage_integrity = AGENT_CONFIG.secure_storage_integrity.to_string();
+                info!(
+                    sl(),
+                    "trusted_store device major:min {}, enable data integrity {}",
+                    dev_major_minor,
+                    secure_storage_integrity
+                );
+
+                let options = std::collections::HashMap::from([
+                    ("deviceId".to_string(), dev_major_minor),
+                    ("encryptType".to_string(), "LUKS".to_string()),
+                    ("dataIntegrity".to_string(), secure_storage_integrity),
+                ]);
+                cdh::secure_mount("BlockDevice", &options, vec![], KATA_IMAGE_WORK_DIR).await?;
+                break;
+            }
+        }
+    }
+    Ok(())
+}
+
+async fn cdh_handler_sealed_secrets(oci: &mut Spec) -> Result<()> {
    if !cdh::is_cdh_client_initialized().await {
        return Ok(());
    }
@ -2291,35 +2335,6 @@ async fn cdh_handler(oci: &mut Spec) -> Result<()> {
        }
    }

-    #[cfg(feature = "guest-pull")]
-    let linux = oci
-        .linux()
-        .as_ref()
-        .ok_or_else(|| anyhow!("Spec didn't contain linux field"))?;
-
-    #[cfg(feature = "guest-pull")]
-    if let Some(devices) = linux.devices() {
-        for specdev in devices.iter() {
-            if specdev.path().as_path().to_str() == Some(TRUSTED_IMAGE_STORAGE_DEVICE) {
-                let dev_major_minor = format!("{}:{}", specdev.major(), specdev.minor());
-                let secure_storage_integrity = AGENT_CONFIG.secure_storage_integrity.to_string();
-                info!(
-                    sl(),
-                    "trusted_store device major:min {}, enable data integrity {}",
-                    dev_major_minor,
-                    secure_storage_integrity
-                );
-
-                let options = std::collections::HashMap::from([
-                    ("deviceId".to_string(), dev_major_minor),
-                    ("encryptType".to_string(), "LUKS".to_string()),
-                    ("dataIntegrity".to_string(), secure_storage_integrity),
-                ]);
-                cdh::secure_mount("BlockDevice", &options, vec![], KATA_IMAGE_WORK_DIR).await?;
-                break;
-            }
-        }
-    }
    Ok(())
 }

--- a/tests/integration/kubernetes/confidential_kbs.sh
+++ b/tests/integration/kubernetes/confidential_kbs.sh
@ -39,6 +39,11 @@ kbs_set_allow_all_resources() {
 		"${COCO_KBS_DIR}/sample_policies/allow_all.rego"
 }

+kbs_set_default_policy() {
+	kbs_set_resources_policy \
+		"${COCO_KBS_DIR}/src/policy_engine/opa/default_policy.rego"
+}
+
 # Set "deny all" policy to resources.
 #
 kbs_set_deny_all_resources() {
--- a/tests/integration/kubernetes/k8s-sealed-secret.bats
+++ b/tests/integration/kubernetes/k8s-sealed-secret.bats
@ -15,7 +15,9 @@ export KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}"
 export AA_KBC="${AA_KBC:-cc_kbc}"

 setup() {
-	[ "${KATA_HYPERVISOR}" = "qemu-coco-dev" ] || skip "Test not ready yet for ${KATA_HYPERVISOR}"
+	if ! is_confidential_runtime_class; then
+		skip "Test not supported for ${KATA_HYPERVISOR}."
+	fi

 	if [ "${KBS}" = "false" ]; then
 		skip "Test skipped as KBS not setup"
@ -70,6 +72,8 @@ setup() {

 	if ! is_confidential_hardware; then
 		kbs_set_allow_all_resources
+	else
+		kbs_set_default_policy
 	fi
 }

@ -103,7 +107,9 @@ setup() {
 }

 teardown() {
-	[ "${KATA_HYPERVISOR}" = "qemu-coco-dev" ] || skip "Test not ready yet for ${KATA_HYPERVISOR}"
+	if ! is_confidential_runtime_class; then
+		skip "Test not supported for ${KATA_HYPERVISOR}."
+	fi

 	if [ "${KBS}" = "false" ]; then
 		skip "Test skipped as KBS not setup"