Merge pull request #11890 from microsoft/saulparedes/optional_initdata

genpolicy: take path to initdata from command line if provided
2025-10-22 20:39:41 +00:00 · 2025-10-16 11:04:57 -05:00
parent d5cb9764fd ba7a5953c8
commit edbb4b633c
7 changed files with 38 additions and 3 deletions
--- a/src/libs/kata-types/src/initdata.rs
+++ b/src/libs/kata-types/src/initdata.rs
@@ -175,7 +175,7 @@ fn adjust_digest(digest: &[u8], platform: ProtectedPlatform) -> Vec<u8> {
 }
 /// Parse initdata
-fn parse_initdata(initdata_str: &str) -> Result<InitData> {
+pub fn parse_initdata(initdata_str: &str) -> Result<InitData> {
    let initdata: InitData = toml::from_str(initdata_str)?;
    initdata.validate()?;
--- a/src/tools/genpolicy/src/policy.rs
+++ b/src/tools/genpolicy/src/policy.rs
@@ -577,7 +577,7 @@ impl AgentPolicy {
        if self.config.raw_out {
            std::io::stdout().write_all(policy.as_bytes()).unwrap();
        }
-        let mut initdata = kata_types::initdata::InitData::new("sha256", "0.1.0");
+        let mut initdata = self.config.initdata.clone();
        initdata.insert_data("policy.rego", policy);
        kata_types::initdata::encode_initdata(&initdata)
--- a/src/tools/genpolicy/src/utils.rs
+++ b/src/tools/genpolicy/src/utils.rs
@@ -5,6 +5,7 @@
 use crate::layers_cache;
 use crate::settings;
 use anyhow::Context;
 use clap::Parser;
 #[derive(Debug, Parser)]
@@ -105,6 +106,9 @@ struct CommandLineOptions {
    layers_cache_file_path: Option<String>,
    #[clap(short, long, help = "Print version information and exit")]
    version: bool,
    #[clap(long, help = "Path to the initdata TOML file", require_equals = true)]
    initdata_path: Option<String>,
 }
 /// Application configuration, derived from on command line parameters.
@@ -126,6 +130,7 @@ pub struct Config {
    pub containerd_socket_path: Option<String>,
    pub layers_cache: layers_cache::ImageLayersCache,
    pub version: bool,
    pub initdata: kata_types::initdata::InitData,
 }
 impl Config {
@@ -150,6 +155,18 @@ impl Config {
        let settings = settings::Settings::new(&args.json_settings_path);
        let initdata = match args.initdata_path.as_deref() {
            Some(p) => {
                let s = std::fs::read_to_string(p)
                    .context(format!("Failed to read initdata file {}", p))
                    .unwrap();
                kata_types::initdata::parse_initdata(&s)
                    .context(format!("Failed to parse initdata from {}", p))
                    .unwrap()
            }
            None => kata_types::initdata::InitData::new("sha256", "0.1.0"),
        };
        Self {
            use_cache: args.use_cached_files,
            insecure_registries: args.insecure_registry,
@@ -164,6 +181,7 @@ impl Config {
            containerd_socket_path: args.containerd_socket_path,
            layers_cache: layers_cache::ImageLayersCache::new(&layers_cache_file_path),
            version: args.version,
            initdata,
        }
    }
 }
--- a/src/tools/genpolicy/tests/policy/main.rs
+++ b/src/tools/genpolicy/tests/policy/main.rs
@@ -107,6 +107,7 @@ mod tests {
            use_cache: false,
            version: false,
            yaml_file: workdir.join("pod.yaml").to_str().map(|s| s.to_string()),
            initdata: kata_types::initdata::InitData::new("sha256", "0.1.0"),
        };
        // The container repos/network calls can be unreliable, so retry
--- a/tests/integration/kubernetes/k8s-policy-pod.bats
+++ b/tests/integration/kubernetes/k8s-policy-pod.bats
@@ -47,7 +47,7 @@ setup() {
 		cp "${correct_pod_yaml}" "${pre_generate_pod_yaml}"
 		# Add policy to the correct pod yaml file
-		auto_generate_policy "${policy_settings_dir}" "${correct_pod_yaml}" "${correct_configmap_yaml}"
+		auto_generate_policy_no_added_flags "${policy_settings_dir}" "${correct_pod_yaml}" "${correct_configmap_yaml}"
 	fi
    # Start each test case with a copy of the correct yaml files.
--- a/tests/integration/kubernetes/runtimeclass_workloads/default-initdata.toml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/default-initdata.toml
@@ -0,0 +1,4 @@
 version = "0.1.0"
 algorithm = "sha256"
 [data]
--- a/tests/integration/kubernetes/tests_common.sh
+++ b/tests/integration/kubernetes/tests_common.sh
@@ -170,6 +170,7 @@ create_tmp_policy_settings_dir() {
 	tmp_settings_dir=$(mktemp -d --tmpdir="${common_settings_dir}" genpolicy.XXXXXXXXXX)
 	cp "${common_settings_dir}/rules.rego" "${tmp_settings_dir}"
 	cp "${common_settings_dir}/genpolicy-settings.json" "${tmp_settings_dir}"
 	cp "${common_settings_dir}/default-initdata.toml" "${tmp_settings_dir}"
 	echo "${tmp_settings_dir}"
 }
@@ -188,6 +189,17 @@ delete_tmp_policy_settings_dir() {
 # Execute genpolicy to auto-generate policy for a test YAML file.
 auto_generate_policy() {
 	declare -r settings_dir="$1"
 	declare -r yaml_file="$2"
 	declare -r config_map_yaml_file="${3:-""}"
 	declare additional_flags="${4:-""}"
 	additional_flags="${additional_flags} --initdata-path=${settings_dir}/default-initdata.toml"
 	auto_generate_policy_no_added_flags "${settings_dir}" "${yaml_file}" "${config_map_yaml_file}" "${additional_flags}"
 }
 auto_generate_policy_no_added_flags() {
 	declare -r settings_dir="$1"
 	declare -r yaml_file="$2"
 	declare -r config_map_yaml_file="${3:-""}"