mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-07-10 15:56:47 +00:00
Replace the kustomize-based Trustee deployment with the upstream Trustee Helm chart (deployment/helm-chart) for every platform, including TDX and s390x, which the previous iteration still left on kustomize. The chart deploys KBS, AS and RVPS as three separate images, so versions.yaml pins image_kbs/image_as/image_rvps (from the upstream staged-images registry) alongside the trustee revision, and bumps trustee to a build that carries the IBM SE material mounting support and the SHA-512 report-data change. guest-components is bumped in lockstep so IBM SE attestation agrees on the SHA-512 runtime-data digest. KBS runs with authorization_mode = "AuthenticatedAuthorization", so admin requests from kbs-client carry the bearer token minted by the chart's bootstrap job instead of relying on an anonymous, allow-all admin API. As reused CI runners may still carry a kbs-client from an older Trustee that predates the --admin-token-file flag, the client is rebuilt from the pinned sources unless the installed one already understands it. On the Intel TDX CI runner only the Attestation Service reaches the public Intel DCAP collateral endpoint, so it is the sole component that needs the corporate proxy. We set https_proxy on the AS alone: the KBS <-> AS <-> RVPS traffic is plain HTTP/gRPC and in-cluster, and routing it through the proxy breaks those connections. The Intel DCAP and NVIDIA verifiers are configured by the chart out of the box, so TDX and SNP need no extra verifier knobs. For IBM SE (s390x) the SE verifier now runs inside the gRPC Attestation Service, so the SE materials are mounted on the AS Pod (not KBS) through the chart's as.ibmse.* knobs, which create a node-local PV/PVC. The AS runs as a non-root user with CAP_DAC_OVERRIDE dropped, hence fsGroup=1000 and a group-readable hdr.bin so it can read the mounted materials. The chart's default CPU requests reserve more of the small single-node CI runners than the old single-Pod deployment did, starving test workloads that ask for a couple of Guaranteed CPUs. Trustee requests are shrunk (limits kept generous) so those Pods schedule again. Debug logging is enabled on all components (log_level=debug) to ease triaging attestation / resource-retrieval failures in CI, and the release is rolled out with 'helm upgrade --install' so re-runs on long-lived CI clusters reconcile in place. Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com> Assisted-by: Cursor <cursoragent@cursor.com>