kata-containers/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats

#!/usr/bin/env bats
# Copyright (c) 2024 IBM Corporation
#
# SPDX-License-Identifier: Apache-2.0
#

load "${BATS_TEST_DIRNAME}/lib.sh"
load "${BATS_TEST_DIRNAME}/confidential_common.sh"

export KBS="${KBS:-false}"

setup() {
    if ! is_confidential_runtime_class; then
        skip "Test not supported for ${KATA_HYPERVISOR}."
    fi

    [ "${SNAPSHOTTER:-}" = "nydus" ] || skip "None snapshotter was found but this test requires one"

    setup_common || die "setup_common failed"
    AUTHENTICATED_IMAGE="${AUTHENTICATED_IMAGE:-quay.io/kata-containers/confidential-containers-auth:test}"
    AUTHENTICATED_IMAGE_USER=${AUTHENTICATED_IMAGE_USER:-}
    AUTHENTICATED_IMAGE_PASSWORD=${AUTHENTICATED_IMAGE_PASSWORD:-}

    if [[ -z ${AUTHENTICATED_IMAGE_USER} || -z ${AUTHENTICATED_IMAGE_PASSWORD} ]]; then
        if [[ -n ${GITHUB_ACTION:-} ]]; then
            die "User and/or password not supplied to authenticated registry test"
        else
            skip "running test locally due to missing user/password"
        fi
    fi

    # Set up Kubernetes secret for the nydus-snapshotter metadata pull
    kubectl delete secret cococred --ignore-not-found
    kubectl create secret docker-registry cococred --docker-server="https://"$(echo "$AUTHENTICATED_IMAGE" | cut -d':' -f1) \
    --docker-username="${AUTHENTICATED_IMAGE_USER}" --docker-password="${AUTHENTICATED_IMAGE_PASSWORD}"
}

function setup_kbs_credentials() {
    image=$1
    user=$2
    password=$3

    if [ "${KBS}" = "false" ]; then
        skip "Test skipped as KBS not setup"
    fi

    registry_credential_encoded=$(echo "${user}:${password}" | base64 -w 0)
    registry=$(echo "$image" | cut -d':' -f1)

    auth_json=$(echo "{
    \"auths\": {
        \"${registry}\": {
            \"auth\": \"${registry_credential_encoded}\"
        }
    }
}")

    if ! is_confidential_hardware; then
        kbs_set_allow_all_resources
    fi

    kbs_set_resource "default" "credentials" "test" "${auth_json}"
}

@test "Test that creating a container from an authenticated image, with correct credentials works" {

    setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} ${AUTHENTICATED_IMAGE_PASSWORD}

    create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "kbs:///default/credentials/test" "" "resource" "$node"
    yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}"

    # For debug sake
    echo "Pod ${kata_pod}: $(cat ${kata_pod})"

    k8s_create_pod "${kata_pod}"
    echo "Kata pod test-e2e from authenticated image is running"
}

@test "Test that creating a container from an authenticated image, with incorrect credentials fails" {

    setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} "junk"

    create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "kbs:///default/credentials/test" "" "resource" "$node"
    yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}"

    # For debug sake
    echo "Pod ${kata_pod}: $(cat ${kata_pod})"

    assert_pod_fail "${kata_pod}"
    assert_logs_contain "${node}" kata "${node_start_time}" "Not authorized"
}

@test "Test that creating a container from an authenticated image, with no credentials fails" {

    # Create pod config, but don't add agent.image_registry_auth annotation
    create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "" "" "resource" "$node"
    yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}"

    # For debug sake
    echo "Pod ${kata_pod}: $(cat ${kata_pod})"

    assert_pod_fail "${kata_pod}"
    assert_logs_contain "${node}" kata "${node_start_time}" "Not authorized"
}

teardown() {
    if ! is_confidential_runtime_class; then
        skip "Test not supported for ${KATA_HYPERVISOR}."
    fi

    [ "${SNAPSHOTTER:-}" = "nydus" ] || skip "None snapshotter was found but this test requires one"

    confidential_teardown_common "${node}" "${node_start_time:-}"
    kubectl delete secret cococred --ignore-not-found
}