test/e2e: kbs: Use the cached kbs-client

To save us storage space, time and the requirement on the rust toolchain, we can pull down the cached kbs-client rather than building it ourselves. - Update checkout_kbs.sh to use oras to pull the kbs-client binary from the cache rather than building it. - Fix the kbs-client path now that it is pulled into `kbs`, not build into target/releases Signed-off-by: stevenhorsman <[email protected]>
confidential-containers · Oct 22, 2024 · 10aad5a · 10aad5a
1 parent 0a0b0b7
commit 10aad5a
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 14 deletions.
diff --git a/src/cloud-api-adaptor/test/e2e/README.md b/src/cloud-api-adaptor/test/e2e/README.md
@@ -62,6 +62,10 @@ To prepare trustee, execute the following helper script:
 ```sh
 ${cloud-api-adaptor-repo-dir}/src/cloud-api-adaptor/test/utils/checkout_kbs.sh
 ```
+> [!NOTE]
+> This script requires [oras](https://oras.land/docs/installation/) to be installed to pull down and verify
+the cached kbs-client.
+
 
 We need build and use the PodVM image:
 

diff --git a/src/cloud-api-adaptor/test/provisioner/trustee_kbs.go b/src/cloud-api-adaptor/test/provisioner/trustee_kbs.go
@@ -466,12 +466,11 @@ func (p *KeyBrokerService) GetKbsEndpoint(ctx context.Context, cfg *envconf.Conf
 }
 
 func (p *KeyBrokerService) EnableKbsCustomizedResourcePolicy(customizedOpaFile string) error {
-	kbsClientDir := filepath.Join(trusteeRepoPath, "target/release")
 	privateKey := filepath.Join(getKbsKubernetesFilePath(), "base/kbs.key")
 	policyFile := filepath.Join(trusteeRepoPath, "kbs/sample_policies", customizedOpaFile)
 	log.Info("EnableKbsCustomizedPolicy: ", policyFile)
 	cmd := exec.Command("./kbs-client", "--url", p.endpoint, "config", "--auth-private-key", privateKey, "set-resource-policy", "--policy-file", policyFile)
-	cmd.Dir = kbsClientDir
+	cmd.Dir = trusteeRepoPath
 	cmd.Env = os.Environ()
 	stdoutStderr, err := cmd.CombinedOutput()
 	log.Tracef("%v, output: %s", cmd, stdoutStderr)
@@ -482,12 +481,11 @@ func (p *KeyBrokerService) EnableKbsCustomizedResourcePolicy(customizedOpaFile s
 }
 
 func (p *KeyBrokerService) EnableKbsCustomizedAttestationPolicy(customizedOpaFile string) error {
-	kbsClientDir := filepath.Join(trusteeRepoPath, "target/release")
 	privateKey := filepath.Join(getKbsKubernetesFilePath(), "base/kbs.key")
 	policyFile := filepath.Join(trusteeRepoPath, "kbs/sample_policies", customizedOpaFile)
 	log.Info("EnableKbsCustomizedPolicy: ", policyFile)
 	cmd := exec.Command("./kbs-client", "--url", p.endpoint, "config", "--auth-private-key", privateKey, "set-attestation-policy", "--policy-file", policyFile)
-	cmd.Dir = kbsClientDir
+	cmd.Dir = trusteeRepoPath
 	cmd.Env = os.Environ()
 	stdoutStderr, err := cmd.CombinedOutput()
 	log.Tracef("%v, output: %s", cmd, stdoutStderr)
@@ -498,7 +496,6 @@ func (p *KeyBrokerService) EnableKbsCustomizedAttestationPolicy(customizedOpaFil
 }
 
 func (p *KeyBrokerService) SetSampleSecretKey() error {
-	kbsClientDir := filepath.Join(trusteeRepoPath, "target/release")
 	privateKey := filepath.Join(getKbsKubernetesFilePath(), "base/kbs.key")
 	overlaysPath, err := getOverlaysPath()
 	if err != nil {
@@ -507,7 +504,7 @@ func (p *KeyBrokerService) SetSampleSecretKey() error {
 	keyFilePath := filepath.Join(getKbsKubernetesFilePath(), overlaysPath, "key.bin")
 	log.Info("set key resource: ", keyFilePath)
 	cmd := exec.Command("./kbs-client", "--url", p.endpoint, "config", "--auth-private-key", privateKey, "set-resource", "--path", "reponame/workload_key/key.bin", "--resource-file", keyFilePath)
-	cmd.Dir = kbsClientDir
+	cmd.Dir = trusteeRepoPath
 	cmd.Env = os.Environ()
 	stdoutStderr, err := cmd.CombinedOutput()
 	log.Tracef("%v, output: %s", cmd, stdoutStderr)

diff --git a/src/cloud-api-adaptor/test/utils/checkout_kbs.sh b/src/cloud-api-adaptor/test/utils/checkout_kbs.sh
@@ -13,24 +13,25 @@ VERSIONS_YAML_PATH=$(realpath "${TEST_DIR}/../versions.yaml")
 KBS_REPO=$(yq -e '.git.kbs.url' "${VERSIONS_YAML_PATH}")
 KBS_VERSION=$(yq -e '.git.kbs.reference' "${VERSIONS_YAML_PATH}")
 
-echo "${KBS_REPO}, ${KBS_VERSION}"
+install_kbs_client() {
+    kbs_sha=$1
+    arch=$(uname -m)
+
+    oras pull "ghcr.io/confidential-containers/staged-images/kbs-client:sample_only-${arch}-linux-gnu-${kbs_sha}"
+    chmod +x ./kbs-client
+}
 
 rm -rf "${TEST_DIR}/trustee"
 git clone "${KBS_REPO}" "${TEST_DIR}/trustee"
 pushd "${TEST_DIR}/trustee"
 git checkout "${KBS_VERSION}"
 KBS_SHA="$(git rev-parse HEAD)"
 
-# kbs-client setup - to be removed when we use the cached version instead
-sudo apt-get update -y
-sudo apt-get install -y build-essential pkg-config libssl-dev
-pushd kbs
-make CLI_FEATURES=sample_only cli
-popd
+install_kbs_client "${KBS_SHA}"
 
 pushd kbs/config/kubernetes/base/
 # Trustee only updates their staging image reliably with sha tags,
 # so switch to use that and convert the version to the sha
-kustomize edit set image kbs-container-image=ghcr.io/confidential-containers/staged-images/kbs:${KBS_SHA}
+kustomize edit set image kbs-container-image=ghcr.io/confidential-containers/staged-images/kbs:"${KBS_SHA}"
 # For debugging
 echo "Trustee deployment: $(cat kustomization.yaml). Images: $(grep -A 5 images: kustomization.yaml)"