Merge pull request #11259 from fitzthum/bump-gc-0140

Update Trustee and Guest Components for CoCo v0.14.0

src/agent/Cargo.toml

@@ -163,7 +163,7 @@ strum.workspace = true
 strum_macros.workspace = true
 
 # Image pull/decrypt
-image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "1191f8257eb65f42892ab0328cec02e58d40de84", default-features = false, optional = true }
+image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "0a06ef241190780840fbb0542e51b198f1f72b0b", default-features = false, optional = true }
 
 # Agent Policy
 cdi = { git = "https://github.com/cncf-tags/container-device-interface-rs", rev = "fba5677a8e7cc962fc6e495fcec98d7d765e332a" }

tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats

@@ -87,7 +87,7 @@ function setup_kbs_credentials() {
     echo "Pod ${kata_pod}: $(cat ${kata_pod})"
 
     assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull manifest Not authorized"
+    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
 }
 
 @test "Test that creating a container from an authenticated image, with no credentials fails" {
@@ -100,7 +100,7 @@ function setup_kbs_credentials() {
     echo "Pod ${kata_pod}: $(cat ${kata_pod})"
 
     assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull manifest Not authorized"
+    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
 }
 
 teardown() {

tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats

@@ -52,8 +52,8 @@ function setup_kbs_decryption_key() {
     echo "Pod ${kata_pod}: $(cat ${kata_pod})"
 
     assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" 'failed to get decrypt key'
-    assert_logs_contain "${node}" kata "${node_start_time}" 'no suitable key found for decrypting layer key'
+    assert_logs_contain "${node}" kata "${node_start_time}" 'decrypt image (unwrap key) failed'
+    assert_logs_contain "${node}" kata "${node_start_time}" 'kms interface when get KEK failed'
 }
 
 
@@ -80,8 +80,7 @@ function setup_kbs_decryption_key() {
     echo "Pod ${kata_pod}: $(cat ${kata_pod})"
 
     assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" 'failed to get decrypt key'
-    assert_logs_contain "${node}" kata "${node_start_time}" 'no suitable key found for decrypting layer key'
+    assert_logs_contain "${node}" kata "${node_start_time}" 'decrypt image (unwrap key) failed'
 }
 
 teardown() {

tests/integration/kubernetes/k8s-guest-pull-image-signature.bats

@@ -97,7 +97,7 @@ EOF
     echo "Pod ${kata_pod}: $(cat ${kata_pod})"
 
     assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" "image security validation failed"
+    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
 }
 
 @test "Create a pod from a signed image, on a 'restricted registry' is successful" {
@@ -123,7 +123,7 @@ EOF
     echo "Pod ${kata_pod}: $(cat ${kata_pod})"
 
     assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" "image security validation failed"
+    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
 }
 
 @test "Create a pod from an unsigned image, on a 'restricted registry' works if policy files isn't set" {

tests/integration/kubernetes/k8s-guest-pull-image.bats

@@ -84,8 +84,7 @@ setup() {
 
     # The pod should be failed because the unpacked image size is larger than the memory size in the guest.
     assert_pod_fail "$pod_config"
-    assert_logs_contain "$node" kata "$node_start_time" \
-		'No space left on device'
+    assert_logs_contain "$node" kata "$node_start_time" "failed to pull image"
 }
 
 @test "Test we can pull an image inside the guest using trusted storage" {

tests/integration/kubernetes/k8s-initdata.bats

@@ -165,7 +165,7 @@ EOF
     echo "Pod ${kata_pod}: $(cat ${kata_pod})"
 
     assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" "image security validation failed"
+    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
 }
 
 @test "Test that creating a container from an rejected image not configured by initdata, fails according to CDH error" {

versions.yaml

@@ -233,18 +233,18 @@ externals:
   coco-guest-components:
     description: "Provides attested key unwrapping for image decryption"
     url: "https://github.com/confidential-containers/guest-components/"
-    version: "1191f8257eb65f42892ab0328cec02e58d40de84"
+    version: "0a06ef241190780840fbb0542e51b198f1f72b0b"
     toolchain: "1.80.0"
 
   coco-trustee:
     description: "Provides attestation and secret delivery components"
     url: "https://github.com/confidential-containers/trustee"
-    version: "bc26ac5acd8314ba34fe837d6886beb1ce384106"
+    version: "d9eb5e0cb0aca97abe35b58908e061850ff60a51"
     # image / ita_image and image_tag / ita_image_tag must be in sync
     image: "ghcr.io/confidential-containers/staged-images/kbs"
-    image_tag: "bc26ac5acd8314ba34fe837d6886beb1ce384106"
+    image_tag: "d9eb5e0cb0aca97abe35b58908e061850ff60a51"
     ita_image: "ghcr.io/confidential-containers/staged-images/kbs-ita-as"
-    ita_image_tag: "bc26ac5acd8314ba34fe837d6886beb1ce384106-x86_64"
+    ita_image_tag: "d9eb5e0cb0aca97abe35b58908e061850ff60a51-x86_64"
     toolchain: "1.80.0"
 
   crio: