kata-containers/tests/integration/kubernetes/k8s-sealed-secret.bats

#!/usr/bin/env bats
# Copyright 2024 IBM Corporation
# Copyright 2024 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
# Test for Sealed Secret feature of CoCo
#

load "${BATS_TEST_DIRNAME}/lib.sh"
load "${BATS_TEST_DIRNAME}/confidential_common.sh"

export KBS="${KBS:-false}"
export KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}"
export AA_KBC="${AA_KBC:-cc_kbc}"

setup() {
	if ! is_confidential_runtime_class; then
		skip "Test not supported for ${KATA_HYPERVISOR}."
	fi

	if [ "${KBS}" = "false" ]; then
		skip "Test skipped as KBS not setup"
	fi

	setup_common || die "setup_common failed"
	get_pod_config_dir

	export K8S_TEST_ENV_YAML="${pod_config_dir}/pod-sealed-secret.yaml"
	export K8S_TEST_FILE_YAML="${pod_config_dir}/pod-sealed-secret-as-file.yaml"
	# Schedule on a known node so that later it can print the system's logs for
	# debugging.
	set_node "$K8S_TEST_ENV_YAML" "$node"
	set_node "$K8S_TEST_FILE_YAML" "$node"

	local CC_KBS_ADDR
	export CC_KBS_ADDR=$(kbs_k8s_svc_http_addr)
	kernel_params_annotation="io.katacontainers.config.hypervisor.kernel_params"
	kernel_params_value="agent.guest_components_procs=confidential-data-hub"

	# For now we set aa_kbc_params via kernel cmdline
	if [ "${AA_KBC}" = "cc_kbc" ]; then
		kernel_params_value+=" agent.aa_kbc_params=cc_kbc::${CC_KBS_ADDR}"
	fi
	set_metadata_annotation "${K8S_TEST_ENV_YAML}" \
		"${kernel_params_annotation}" \
		"${kernel_params_value}"
	set_metadata_annotation "${K8S_TEST_FILE_YAML}" \
		"${kernel_params_annotation}" \
		"${kernel_params_value}"

	# Setup k8s secret
	kubectl delete secret sealed-secret --ignore-not-found
	kubectl delete secret not-sealed-secret --ignore-not-found

	# Sealed secret format is defined at: https://github.com/confidential-containers/guest-components/blob/main/confidential-data-hub/docs/SEALED_SECRET.md#vault
	# sealed.BASE64URL(UTF8(JWS Protected Header)) || '.
	# || BASE64URL(JWS Payload) || '.'
	# || BASE64URL(JWS Signature)
	# test payload:
	# {
	# "version": "0.1.0",
	# "type": "vault",
	# "name": "kbs:///default/sealed-secret/test",
	# "provider": "kbs",
	# "provider_settings": {},
	# "annotations": {}
	# }
	kubectl create secret generic sealed-secret --from-literal='secret=sealed.fakejwsheader.eyJ2ZXJzaW9uIjoiMC4xLjAiLCJ0eXBlIjoidmF1bHQiLCJuYW1lIjoia2JzOi8vL2RlZmF1bHQvc2VhbGVkLXNlY3JldC90ZXN0IiwicHJvdmlkZXIiOiJrYnMiLCJwcm92aWRlcl9zZXR0aW5ncyI6e30sImFubm90YXRpb25zIjp7fX0.fakesignature'

	kubectl create secret generic not-sealed-secret --from-literal='secret=not_sealed_secret'

	if ! is_confidential_hardware; then
		kbs_set_allow_all_resources
	else
		kbs_set_default_policy
	fi
}

@test "Cannot Unseal Env Secrets with CDH without key" {
	k8s_create_pod "${K8S_TEST_ENV_YAML}"

	kubectl logs secret-test-pod-cc
	kubectl logs secret-test-pod-cc | grep -q "UNPROTECTED_SECRET = not_sealed_secret"
	cmd="kubectl logs secret-test-pod-cc | grep -q \"PROTECTED_SECRET = unsealed_secret\""
	run $cmd
	[ "$status" -eq 1 ]
}


@test "Unseal Env Secrets with CDH" {
	kbs_set_resource "default" "sealed-secret" "test" "unsealed_secret"
	k8s_create_pod "${K8S_TEST_ENV_YAML}"

	kubectl logs secret-test-pod-cc
	kubectl logs secret-test-pod-cc | grep -q "UNPROTECTED_SECRET = not_sealed_secret"
	kubectl logs secret-test-pod-cc | grep -q "PROTECTED_SECRET = unsealed_secret"
}

@test "Unseal File Secrets with CDH" {
	kbs_set_resource "default" "sealed-secret" "test" "unsealed_secret"
	k8s_create_pod "${K8S_TEST_FILE_YAML}"

	kubectl logs secret-test-pod-cc
	kubectl logs secret-test-pod-cc | grep -q "UNPROTECTED_SECRET = not_sealed_secret"
	kubectl logs secret-test-pod-cc | grep -q "PROTECTED_SECRET = unsealed_secret"
}

teardown() {
	if ! is_confidential_runtime_class; then
		skip "Test not supported for ${KATA_HYPERVISOR}."
	fi

	if [ "${KBS}" = "false" ]; then
		skip "Test skipped as KBS not setup"
	fi

	teardown_common "${node}" "${node_start_time:-}"
	kubectl delete secret sealed-secret --ignore-not-found
	kubectl delete secret not-sealed-secret --ignore-not-found
}