Merge pull request #11259 from fitzthum/bump-gc-0140

Update Trustee and Guest Components for CoCo v0.14.0
This commit is contained in:
Steve Horsman 2025-05-20 18:05:17 +01:00 committed by GitHub
commit f8c5aa6df6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 594 additions and 371 deletions

935
src/agent/Cargo.lock generated

File diff suppressed because it is too large Load Diff

View File

@ -163,7 +163,7 @@ strum.workspace = true
strum_macros.workspace = true
# Image pull/decrypt
image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "1191f8257eb65f42892ab0328cec02e58d40de84", default-features = false, optional = true }
image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "0a06ef241190780840fbb0542e51b198f1f72b0b", default-features = false, optional = true }
# Agent Policy
cdi = { git = "https://github.com/cncf-tags/container-device-interface-rs", rev = "fba5677a8e7cc962fc6e495fcec98d7d765e332a" }

View File

@ -87,7 +87,7 @@ function setup_kbs_credentials() {
echo "Pod ${kata_pod}: $(cat ${kata_pod})"
assert_pod_fail "${kata_pod}"
assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull manifest Not authorized"
assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
}
@test "Test that creating a container from an authenticated image, with no credentials fails" {
@ -100,7 +100,7 @@ function setup_kbs_credentials() {
echo "Pod ${kata_pod}: $(cat ${kata_pod})"
assert_pod_fail "${kata_pod}"
assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull manifest Not authorized"
assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
}
teardown() {

View File

@ -52,8 +52,8 @@ function setup_kbs_decryption_key() {
echo "Pod ${kata_pod}: $(cat ${kata_pod})"
assert_pod_fail "${kata_pod}"
assert_logs_contain "${node}" kata "${node_start_time}" 'failed to get decrypt key'
assert_logs_contain "${node}" kata "${node_start_time}" 'no suitable key found for decrypting layer key'
assert_logs_contain "${node}" kata "${node_start_time}" 'decrypt image (unwrap key) failed'
assert_logs_contain "${node}" kata "${node_start_time}" 'kms interface when get KEK failed'
}
@ -80,8 +80,7 @@ function setup_kbs_decryption_key() {
echo "Pod ${kata_pod}: $(cat ${kata_pod})"
assert_pod_fail "${kata_pod}"
assert_logs_contain "${node}" kata "${node_start_time}" 'failed to get decrypt key'
assert_logs_contain "${node}" kata "${node_start_time}" 'no suitable key found for decrypting layer key'
assert_logs_contain "${node}" kata "${node_start_time}" 'decrypt image (unwrap key) failed'
}
teardown() {

View File

@ -97,7 +97,7 @@ EOF
echo "Pod ${kata_pod}: $(cat ${kata_pod})"
assert_pod_fail "${kata_pod}"
assert_logs_contain "${node}" kata "${node_start_time}" "image security validation failed"
assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
}
@test "Create a pod from a signed image, on a 'restricted registry' is successful" {
@ -123,7 +123,7 @@ EOF
echo "Pod ${kata_pod}: $(cat ${kata_pod})"
assert_pod_fail "${kata_pod}"
assert_logs_contain "${node}" kata "${node_start_time}" "image security validation failed"
assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
}
@test "Create a pod from an unsigned image, on a 'restricted registry' works if policy files isn't set" {

View File

@ -84,8 +84,7 @@ setup() {
# The pod should be failed because the unpacked image size is larger than the memory size in the guest.
assert_pod_fail "$pod_config"
assert_logs_contain "$node" kata "$node_start_time" \
'No space left on device'
assert_logs_contain "$node" kata "$node_start_time" "failed to pull image"
}
@test "Test we can pull an image inside the guest using trusted storage" {

View File

@ -165,7 +165,7 @@ EOF
echo "Pod ${kata_pod}: $(cat ${kata_pod})"
assert_pod_fail "${kata_pod}"
assert_logs_contain "${node}" kata "${node_start_time}" "image security validation failed"
assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
}
@test "Test that creating a container from an rejected image not configured by initdata, fails according to CDH error" {

View File

@ -233,18 +233,18 @@ externals:
coco-guest-components:
description: "Provides attested key unwrapping for image decryption"
url: "https://github.com/confidential-containers/guest-components/"
version: "1191f8257eb65f42892ab0328cec02e58d40de84"
version: "0a06ef241190780840fbb0542e51b198f1f72b0b"
toolchain: "1.80.0"
coco-trustee:
description: "Provides attestation and secret delivery components"
url: "https://github.com/confidential-containers/trustee"
version: "bc26ac5acd8314ba34fe837d6886beb1ce384106"
version: "d9eb5e0cb0aca97abe35b58908e061850ff60a51"
# image / ita_image and image_tag / ita_image_tag must be in sync
image: "ghcr.io/confidential-containers/staged-images/kbs"
image_tag: "bc26ac5acd8314ba34fe837d6886beb1ce384106"
image_tag: "d9eb5e0cb0aca97abe35b58908e061850ff60a51"
ita_image: "ghcr.io/confidential-containers/staged-images/kbs-ita-as"
ita_image_tag: "bc26ac5acd8314ba34fe837d6886beb1ce384106-x86_64"
ita_image_tag: "d9eb5e0cb0aca97abe35b58908e061850ff60a51-x86_64"
toolchain: "1.80.0"
crio: