diff --git a/tests/integration/kubernetes/confidential_common.sh b/tests/integration/kubernetes/confidential_common.sh index 02337b0229..b46207ca66 100644 --- a/tests/integration/kubernetes/confidential_common.sh +++ b/tests/integration/kubernetes/confidential_common.sh @@ -7,6 +7,9 @@ source "${BATS_TEST_DIRNAME}/tests_common.sh" +SUPPORTED_TEE_HYPERVISORS=("qemu-sev" "qemu-snp" "qemu-tdx" "qemu-se") +SUPPORTED_NON_TEE_HYPERVISORS=("qemu") + function setup_unencrypted_confidential_pod() { get_pod_config_dir @@ -33,3 +36,26 @@ function get_remote_command_per_hypervisor() { echo "${REMOTE_COMMAND_PER_HYPERVISOR[${KATA_HYPERVISOR}]}" } + +# This function verifies whether the input hypervisor supports confidential tests and +# relies on `KATA_HYPERVISOR` being an environment variable +function check_hypervisor_for_confidential_tests() { + local kata_hypervisor="${1}" + # This check must be done with "${KATA_HYPERVISOR}" to avoid + # having substrings, like qemu, being matched with qemu-$something. + if [[ " ${SUPPORTED_TEE_HYPERVISORS[*]} " =~ " ${kata_hypervisor} " ]] ||\ + [[ " ${SUPPORTED_NON_TEE_HYPERVISORS[*]} " =~ " ${kata_hypervisor} " ]]; then + return 0 + else + return 1 + fi +} + +# Common setup for confidential tests. +function confidential_setup() { + if ! check_hypervisor_for_confidential_tests "${KATA_HYPERVISOR}"; then + return 1 + elif [[ " ${SUPPORTED_NON_TEE_HYPERVISORS[*]} " =~ " ${KATA_HYPERVISOR} " ]]; then + info "Need to apply image annotations" + fi +} diff --git a/tests/integration/kubernetes/k8s-confidential.bats b/tests/integration/kubernetes/k8s-confidential.bats index 29172a4b80..01abec96a0 100644 --- a/tests/integration/kubernetes/k8s-confidential.bats +++ b/tests/integration/kubernetes/k8s-confidential.bats @@ -10,21 +10,8 @@ load "${BATS_TEST_DIRNAME}/confidential_common.sh" load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { - SUPPORTED_TEE_HYPERVISORS=("qemu-sev" "qemu-snp" "qemu-tdx" "qemu-se") - SUPPORTED_NON_TEE_HYPERVISORS=("qemu") - - # This check must be done with "${KATA_HYPERVISOR}" to avoid - # having substrings, like qemu, being matched with qemu-$something. - if ! [[ " ${SUPPORTED_TEE_HYPERVISORS[@]} " =~ " ${KATA_HYPERVISOR} " ]] && ! [[ " ${SUPPORTED_NON_TEE_HYPERVISORS} " =~ " ${KATA_HYPERVISOR} " ]]; then - skip "Test not supported for ${KATA_HYPERVISOR}." - fi - - if [[ " ${SUPPORTED_NON_TEE_HYPERVISORS} " =~ " ${KATA_HYPERVISOR} " ]]; then - info "Need to apply image annotations" - else - get_pod_config_dir - setup_unencrypted_confidential_pod - fi + confidential_setup || skip "Test not supported for ${KATA_HYPERVISOR}." + setup_unencrypted_confidential_pod } @test "Test unencrypted confidential container launch success and verify that we are running in a secure enclave." { @@ -54,10 +41,8 @@ setup() { } teardown() { - if ! [[ " ${SUPPORTED_TEE_HYPERVISORS[@]} " =~ " ${KATA_HYPERVISOR} " ]] && ! [[ " ${SUPPORTED_NON_TEE_HYPERVISORS} " =~ " ${KATA_HYPERVISOR} " ]]; then - skip "Test not supported for ${KATA_HYPERVISOR}." - fi - + check_hypervisor_for_confidential_tests ${KATA_HYPERVISOR} || skip "Test not supported for ${KATA_HYPERVISOR}." + kubectl describe "pod/${pod_name}" || true kubectl delete -f "${pod_config_dir}/pod-confidential-unencrypted.yaml" || true }