Merge pull request #11259 from fitzthum/bump-gc-0140

Update Trustee and Guest Components for CoCo v0.14.0
2025-07-04 19:16:23 +00:00 · 2025-05-20 18:05:17 +01:00 · 2025-05-20 18:05:17 +01:00 · f8c5aa6df6
commit f8c5aa6df6
parent b4aa1e3fbd be708f410e
8 changed files with 594 additions and 371 deletions
--- a/src/agent/Cargo.lock
+++ b/src/agent/Cargo.lock
--- a/src/agent/Cargo.toml
+++ b/src/agent/Cargo.toml
@ -163,7 +163,7 @@ strum.workspace = true
 strum_macros.workspace = true
 # Image pull/decrypt
-image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "1191f8257eb65f42892ab0328cec02e58d40de84", default-features = false, optional = true }
+image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "0a06ef241190780840fbb0542e51b198f1f72b0b", default-features = false, optional = true }
 # Agent Policy
 cdi = { git = "https://github.com/cncf-tags/container-device-interface-rs", rev = "fba5677a8e7cc962fc6e495fcec98d7d765e332a" }
--- a/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats
+++ b/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats
@ -87,7 +87,7 @@ function setup_kbs_credentials() {
    echo "Pod ${kata_pod}: $(cat ${kata_pod})"
    assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull manifest Not authorized"
+    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
 }
@test "Test that creating a container from an authenticated image, with no credentials fails" {
@ -100,7 +100,7 @@ function setup_kbs_credentials() {
    echo "Pod ${kata_pod}: $(cat ${kata_pod})"
    assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull manifest Not authorized"
+    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
 }
 teardown() {
--- a/tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats
+++ b/tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats
@ -52,8 +52,8 @@ function setup_kbs_decryption_key() {
    echo "Pod ${kata_pod}: $(cat ${kata_pod})"
    assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" 'failed to get decrypt key'
+    assert_logs_contain "${node}" kata "${node_start_time}" 'decrypt image (unwrap key) failed'
-    assert_logs_contain "${node}" kata "${node_start_time}" 'no suitable key found for decrypting layer key'
+    assert_logs_contain "${node}" kata "${node_start_time}" 'kms interface when get KEK failed'
 }
@ -80,8 +80,7 @@ function setup_kbs_decryption_key() {
    echo "Pod ${kata_pod}: $(cat ${kata_pod})"
    assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" 'failed to get decrypt key'
+    assert_logs_contain "${node}" kata "${node_start_time}" 'decrypt image (unwrap key) failed'
    assert_logs_contain "${node}" kata "${node_start_time}" 'no suitable key found for decrypting layer key'
 }
 teardown() {
--- a/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats
+++ b/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats
@ -97,7 +97,7 @@ EOF
    echo "Pod ${kata_pod}: $(cat ${kata_pod})"
    assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" "image security validation failed"
+    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
 }
@test "Create a pod from a signed image, on a 'restricted registry' is successful" {
@ -123,7 +123,7 @@ EOF
    echo "Pod ${kata_pod}: $(cat ${kata_pod})"
    assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" "image security validation failed"
+    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
 }
@test "Create a pod from an unsigned image, on a 'restricted registry' works if policy files isn't set" {
--- a/tests/integration/kubernetes/k8s-guest-pull-image.bats
+++ b/tests/integration/kubernetes/k8s-guest-pull-image.bats
@ -84,8 +84,7 @@ setup() {
    # The pod should be failed because the unpacked image size is larger than the memory size in the guest.
    assert_pod_fail "$pod_config"
-    assert_logs_contain "$node" kata "$node_start_time" \
+    assert_logs_contain "$node" kata "$node_start_time" "failed to pull image"
 		'No space left on device'
 }
@test "Test we can pull an image inside the guest using trusted storage" {
--- a/tests/integration/kubernetes/k8s-initdata.bats
+++ b/tests/integration/kubernetes/k8s-initdata.bats
@ -165,7 +165,7 @@ EOF
    echo "Pod ${kata_pod}: $(cat ${kata_pod})"
    assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" "image security validation failed"
+    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
 }
@test "Test that creating a container from an rejected image not configured by initdata, fails according to CDH error" {
--- a/versions.yaml
+++ b/versions.yaml
@ -233,18 +233,18 @@ externals:
  coco-guest-components:
    description: "Provides attested key unwrapping for image decryption"
    url: "https://github.com/confidential-containers/guest-components/"
-    version: "1191f8257eb65f42892ab0328cec02e58d40de84"
+    version: "0a06ef241190780840fbb0542e51b198f1f72b0b"
    toolchain: "1.80.0"
  coco-trustee:
    description: "Provides attestation and secret delivery components"
    url: "https://github.com/confidential-containers/trustee"
-    version: "bc26ac5acd8314ba34fe837d6886beb1ce384106"
+    version: "d9eb5e0cb0aca97abe35b58908e061850ff60a51"
    # image / ita_image and image_tag / ita_image_tag must be in sync
    image: "ghcr.io/confidential-containers/staged-images/kbs"
-    image_tag: "bc26ac5acd8314ba34fe837d6886beb1ce384106"
+    image_tag: "d9eb5e0cb0aca97abe35b58908e061850ff60a51"
    ita_image: "ghcr.io/confidential-containers/staged-images/kbs-ita-as"
-    ita_image_tag: "bc26ac5acd8314ba34fe837d6886beb1ce384106-x86_64"
+    ita_image_tag: "d9eb5e0cb0aca97abe35b58908e061850ff60a51-x86_64"
    toolchain: "1.80.0"
  crio: