|
| 1 | +#!/usr/bin/env bats |
| 2 | +# Copyright (c) 2023 Intel Corporation |
| 3 | +# |
| 4 | +# SPDX-License-Identifier: Apache-2.0 |
| 5 | +# |
| 6 | + |
| 7 | +load "${BATS_TEST_DIRNAME}/lib.sh" |
| 8 | +load "${BATS_TEST_DIRNAME}/../../confidential/lib.sh" |
| 9 | +load "${BATS_TEST_DIRNAME}/../../../lib/common.bash" |
| 10 | + |
| 11 | +# Allow to configure the runtimeClassName on pod configuration. |
| 12 | +RUNTIMECLASS="${RUNTIMECLASS:-kata}" |
| 13 | +test_tag="[cc][agent][kubernetes][containerd]" |
| 14 | +original_kernel_params=$(get_kernel_params) |
| 15 | + |
| 16 | +setup() { |
| 17 | + start_date=$(date +"%Y-%m-%d %H:%M:%S") |
| 18 | + |
| 19 | + kubernetes_delete_all_cc_pods_if_any_exists || true |
| 20 | + |
| 21 | + echo "Prepare containerd for Confidential Container" |
| 22 | + SAVED_CONTAINERD_CONF_FILE="/etc/containerd/config.toml.$$" |
| 23 | + configure_cc_containerd "$SAVED_CONTAINERD_CONF_FILE" |
| 24 | + |
| 25 | + echo "Reconfigure Kata Containers" |
| 26 | + switch_image_service_offload on |
| 27 | + clear_kernel_params |
| 28 | + add_kernel_params "${original_kernel_params}" |
| 29 | + |
| 30 | + setup_proxy |
| 31 | + switch_measured_rootfs_verity_scheme none |
| 32 | + |
| 33 | + kubectl delete secret sealed-secret --ignore-not-found |
| 34 | + # Sealed secret format is defined at: https://github.com/confidential-containers/guest-components/blob/main/confidential-data-hub/docs/SEALED_SECRET.md#vault |
| 35 | + # sealed.BASE64URL(UTF8(JWS Protected Header)) || '. |
| 36 | + # || BASE64URL(JWS Payload) || '.' |
| 37 | + # || BASE64URL(JWS Signature) |
| 38 | + # test payload: |
| 39 | + # { |
| 40 | + # "version": "0.1.0", |
| 41 | + # "type": "vault", |
| 42 | + # "name": "kbs:///default/sealed-secret/test", |
| 43 | + # "provider": "kbs", |
| 44 | + # "provider_settings": {}, |
| 45 | + # "annotations": {} |
| 46 | + # } |
| 47 | + kubectl create secret generic sealed-secret --from-literal='password=sealed.fakejwsheader.ewogICAgInZlcnNpb24iOiAiMC4xLjAiLAogICAgInR5cGUiOiAidmF1bHQiLAogICAgIm5hbWUiOiAia2JzOi8vL2RlZmF1bHQvc2VhbGVkLXNlY3JldC90ZXN0IiwKICAgICJwcm92aWRlciI6ICJrYnMiLAogICAgInByb3ZpZGVyX3NldHRpbmdzIjoge30sCiAgICAiYW5ub3RhdGlvbnMiOiB7fQp9Cg==.fakesignature' |
| 48 | +} |
| 49 | + |
| 50 | +@test "$test_tag Test can use KBS to unseal secret as environment or volume file" { |
| 51 | + if [ "${AA_KBC}" = "offline_fs_kbc" ]; then |
| 52 | + setup_offline_fs_kbc_secret_files_in_guest |
| 53 | + elif [ "${AA_KBC}" = "cc_kbc" ]; then |
| 54 | + # CC KBC is specified as: cc_kbc::http://host_ip:port/, and 60000 is the default port used |
| 55 | + # by the service, as well as the one configured in the Kata Containers rootfs. |
| 56 | + CC_KBS_IP=${CC_KBS_IP:-"$(hostname -I | awk '{print $1}')"} |
| 57 | + CC_KBS_PORT=${CC_KBS_PORT:-"60000"} |
| 58 | + add_kernel_params "agent.aa_kbc_params=cc_kbc::http://${CC_KBS_IP}:${CC_KBS_PORT}/" |
| 59 | + fi |
| 60 | + |
| 61 | + local base_config="${FIXTURES_DIR}/pod-config-secret.yaml.in" |
| 62 | + |
| 63 | + local pod_config=$(mktemp "${BATS_FILE_TMPDIR}/$(basename ${base_config}).XXX") |
| 64 | + RUNTIMECLASS="$RUNTIMECLASS" envsubst \$RUNTIMECLASS < "$base_config" > "$pod_config" |
| 65 | + echo "$pod_config" |
| 66 | + |
| 67 | + kubernetes_create_cc_pod $pod_config |
| 68 | + |
| 69 | + # Wait 5s for connecting with remote KBS to unseal secret |
| 70 | + sleep 5 |
| 71 | + |
| 72 | + kubectl logs secret-test-pod-cc |
| 73 | + kubectl logs secret-test-pod-cc | grep -q "unsealed environment as expected" |
| 74 | + kubectl logs secret-test-pod-cc | grep -q "unsealed volume as expected" |
| 75 | +} |
| 76 | + |
| 77 | +teardown() { |
| 78 | + # Print the logs and cleanup resources. |
| 79 | + echo "-- Kata logs:" |
| 80 | + sudo journalctl -xe -t kata --since "$start_date" -n 100000 |
| 81 | + |
| 82 | + # Allow to not destroy the environment if you are developing/debugging |
| 83 | + # tests. |
| 84 | + if [[ "${CI:-false}" == "false" && "${DEBUG:-}" == true ]]; then |
| 85 | + echo "Leaving changes and created resources untoughted" |
| 86 | + return |
| 87 | + fi |
| 88 | + |
| 89 | + kubernetes_delete_all_cc_pods_if_any_exists || true |
| 90 | + kubectl delete secret sealed-secret --ignore-not-found |
| 91 | + |
| 92 | + clear_kernel_params |
| 93 | + add_kernel_params "${original_kernel_params}" |
| 94 | + switch_image_service_offload off |
| 95 | + disable_full_debug |
| 96 | +} |
0 commit comments