Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

e2e-test: update kbs test case to support kbs with ibmse verifier #1935

Merged
merged 2 commits into from
Jul 29, 2024
Merged

e2e-test: update kbs test case to support kbs with ibmse verifier #1935

merged 2 commits into from
Jul 29, 2024

Conversation

liudalibj
Copy link
Member

  • deploy kbs with ibmse verifer base on ENV IBM_SE_CREDS_DIR
  • update kbs test case for libvrit provider to support kbs with ibmse verifier
  • set key source before test cases
  • deny_all.rego and allow_with_wrong_image_tag.rego are FAIL cases
  • allow_with_correct_claims.rego is PASS case
  • quay.io/curl/curl:latest do NOT have s390x support, replace the fail case to use busybox wget command

fixes #1934

@liudalibj liudalibj added the test_e2e_libvirt Run Libvirt e2e tests label Jul 19, 2024
@stevenhorsman
Copy link
Member

@liudalibj - are you okay for this PR to go in post 0.9.0 release?

@liudalibj
Copy link
Member Author

@liudalibj - are you okay for this PR to go in post 0.9.0 release?

I am okay for this in in post 0.9.0 release.

@liudalibj liudalibj force-pushed the kbs-ibmse branch 5 times, most recently from 54bf408 to ab65bf2 Compare July 24, 2024 12:14
@liudalibj liudalibj requested review from bpradipt and genjuro214 July 26, 2024 02:35
@liudalibj
Copy link
Member Author

liudalibj commented Jul 26, 2024
edited
Loading

One whole test log can be found at here https://github.com/liudalibj/cloud-api-adaptor/actions/runs/10104917246/job/27944630835#step:5:1 the e2e-tests ibmse section -> check e2e-test result

...
[2024-07-26T01:19:21.366Z] time="2024-07-26T03:19:20+02:00" level=info msg="default serviceAccount exists, namespace 'coco-pp-e2e-test-958a7109' is ready for use"
[2024-07-26T01:19:21.366Z] === RUN   TestLibvirtKbsKeyRelease
[2024-07-26T01:19:21.366Z] time="2024-07-26T03:19:20+02:00" level=info msg="set key resource: ../../kbs/config/kubernetes/overlays/s390x/key.bin"
[2024-07-26T01:19:21.367Z] time="2024-07-26T03:19:20+02:00" level=info msg="EnableKbsCustomizedPolicy: ../../kbs/sample_policies/allow_all.rego"
[2024-07-26T01:19:21.367Z] time="2024-07-26T03:19:20+02:00" level=info msg="EnableKbsCustomizedPolicy: ../../kbs/sample_policies/deny_all.rego"
[2024-07-26T01:19:21.367Z] === PAUSE TestLibvirtKbsKeyRelease
[2024-07-26T01:19:21.367Z] === CONT  TestLibvirtKbsKeyRelease
[2024-07-26T01:19:21.367Z] time="2024-07-26T03:19:20+02:00" level=info msg="Do test kbs key release failure case"
[2024-07-26T01:19:21.367Z] === RUN   TestLibvirtKbsKeyRelease/DoTestKbsKeyReleaseForFailure_test
[2024-07-26T01:19:53.633Z]     assessment_runner.go:265: Waiting for containers in pod: busybox-wget-failure are ready
[2024-07-26T01:19:56.375Z] === RUN   TestLibvirtKbsKeyRelease/DoTestKbsKeyReleaseForFailure_test/Kbs_key_release_is_failed
[2024-07-26T01:20:06.475Z] time="2024-07-26T03:20:05+02:00" level=info msg="PASS as failed to access key.bin: "
[2024-07-26T01:20:06.475Z]     assessment_runner.go:415: Output when execute test commands:
[2024-07-26T01:20:06.475Z] time="2024-07-26T03:20:05+02:00" level=info msg="Deleting pod busybox-wget-failure..."
[2024-07-26T01:20:10.755Z] time="2024-07-26T03:20:10+02:00" level=info msg="Pod busybox-wget-failure has been successfully deleted within 60s"
[2024-07-26T01:20:10.755Z] === NAME  TestLibvirtKbsKeyRelease
[2024-07-26T01:20:10.755Z]     libvirt_test.go:118: KBS with ibmse cases
[2024-07-26T01:20:10.755Z] time="2024-07-26T03:20:10+02:00" level=info msg="EnableKbsCustomizedPolicy: ../../kbs/sample_policies/allow_with_wrong_image_tag.rego"
[2024-07-26T01:20:11.031Z] time="2024-07-26T03:20:10+02:00" level=info msg="Do test kbs key release failure case"
[2024-07-26T01:20:11.031Z] === RUN   TestLibvirtKbsKeyRelease/DoTestKbsKeyReleaseForFailure_test#01
[2024-07-26T01:20:43.336Z]     assessment_runner.go:265: Waiting for containers in pod: busybox-wget-failure are ready
[2024-07-26T01:20:45.929Z] === RUN   TestLibvirtKbsKeyRelease/DoTestKbsKeyReleaseForFailure_test#01/Kbs_key_release_is_failed
[2024-07-26T01:20:56.098Z] time="2024-07-26T03:20:54+02:00" level=info msg="PASS as failed to access key.bin: "
[2024-07-26T01:20:56.098Z]     assessment_runner.go:415: Output when execute test commands:
[2024-07-26T01:20:56.098Z] time="2024-07-26T03:20:54+02:00" level=info msg="Deleting pod busybox-wget-failure..."
[2024-07-26T01:21:00.362Z] time="2024-07-26T03:20:59+02:00" level=info msg="Pod busybox-wget-failure has been successfully deleted within 60s"
[2024-07-26T01:21:00.362Z] time="2024-07-26T03:20:59+02:00" level=info msg="EnableKbsCustomizedPolicy: ../../kbs/sample_policies/allow_with_correct_claims.rego"
[2024-07-26T01:21:00.362Z] time="2024-07-26T03:21:00+02:00" level=info msg="Do test kbs key release"
[2024-07-26T01:21:00.362Z] === RUN   TestLibvirtKbsKeyRelease/KbsKeyReleasePod_test
[2024-07-26T01:21:27.114Z]     assessment_runner.go:265: Waiting for containers in pod: busybox-wget are ready
[2024-07-26T01:21:30.470Z] === RUN   TestLibvirtKbsKeyRelease/KbsKeyReleasePod_test/Kbs_key_release_is_successful
[2024-07-26T01:21:35.867Z] time="2024-07-26T03:21:35+02:00" level=info msg="Success to get key.bin: This is my cluster name: "
[2024-07-26T01:21:35.867Z]     assessment_runner.go:415: Output when execute test commands:This is my cluster name: 
[2024-07-26T01:21:35.867Z] time="2024-07-26T03:21:35+02:00" level=info msg="Deleting pod busybox-wget..."
[2024-07-26T01:21:41.266Z] time="2024-07-26T03:21:40+02:00" level=info msg="Pod busybox-wget has been successfully deleted within 60s"
[2024-07-26T01:21:41.266Z] --- PASS: TestLibvirtKbsKeyRelease (139.52s)
[2024-07-26T01:21:41.266Z]     --- PASS: TestLibvirtKbsKeyRelease/DoTestKbsKeyReleaseForFailure_test (49.58s)
[2024-07-26T01:21:41.266Z]         --- PASS: TestLibvirtKbsKeyRelease/DoTestKbsKeyReleaseForFailure_test/Kbs_key_release_is_failed (9.55s)
[2024-07-26T01:21:41.266Z]     --- PASS: TestLibvirtKbsKeyRelease/DoTestKbsKeyReleaseForFailure_test#01 (49.53s)
[2024-07-26T01:21:41.266Z]         --- PASS: TestLibvirtKbsKeyRelease/DoTestKbsKeyReleaseForFailure_test#01/Kbs_key_release_is_failed (9.51s)
[2024-07-26T01:21:41.266Z]     --- PASS: TestLibvirtKbsKeyRelease/KbsKeyReleasePod_test (40.33s)
[2024-07-26T01:21:41.266Z]         --- PASS: TestLibvirtKbsKeyRelease/KbsKeyReleasePod_test/Kbs_key_release_is_successful (5.29s)
[2024-07-26T01:21:41.266Z] PASS
[2024-07-26T01:21:41.266Z] time="2024-07-26T03:21:40+02:00" level=info msg="Deleting namespace 'coco-pp-e2e-test-958a7109'..."
[2024-07-26T01:21:51.359Z] time="2024-07-26T03:21:50+02:00" level=info msg="Namespace 'coco-pp-e2e-test-958a7109' has been successfully deleted within 60s"
[2024-07-26T01:21:55.631Z] peer-pods-ctlplane-0 deleted on local!
[2024-07-26T01:21:55.631Z] peer-pods-worker-0 deleted on local!
[2024-07-26T01:21:55.631Z] Deleting directory /root/.kcli/clusters/peer-pods
...

@liudalibj
Copy link
Member Author

the e2e-test is failed after rebase codes with main brach,
the failed is related to #1931
REGISTRY_CREDENTIAL_ENCODED env is added, but the auth.json is missed.
https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/test/e2e/assessment_runner.go#L195

@genjuro214
Copy link
Contributor

@liudalibj , should we extract the KBS related code from provision.go and place it into a separate go file?

e2e-test: update kbs test case to support kbs with ibmse verifier
36cb6a2 
- split kbs relates codes to one file
- deploy kbs with ibmse verifer base on ENV IBM_SE_CREDS_DIR
- update kbs test case for libvrit provider to support kbs with ibmse verifier
- set key source before test cases
- `deny_all.rego` and `allow_with_wrong_image_tag.rego` are FAIL cases
- `allow_with_correct_claims.rego` is PASS case

fixes confidential-containers#1934

Signed-off-by: Da Li Liu <[email protected]>
@liudalibj
Copy link
Member Author

@liudalibj , should we extract the KBS related code from provision.go and place it into a separate go file?

split kbs related codes to one file.

podvm-mkosi: refine podvm-mkosi s390x se image build logical
bf5ebbe 
- Update podvm-mkosi s390x podvm image build logical
- Use `SE_BOOT=true` to enable se image build
- support push fedora s390x-se image

Signed-off-by: Da Li Liu <[email protected]>
@liudalibj liudalibj removed the test_e2e_libvirt Run Libvirt e2e tests label Jul 29, 2024
huoqifeng
huoqifeng approved these changes Jul 29, 2024
View reviewed changes
Copy link

@huoqifeng huoqifeng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
thanks @liudalibj

@liudalibj liudalibj merged commit 44cecf6 into confidential-containers:main Jul 29, 2024
18 of 26 checks passed
@liudalibj liudalibj deleted the kbs-ibmse branch July 29, 2024 05:25
stevenhorsman added a commit to stevenhorsman/cloud-api-adaptor that referenced this pull request Aug 12, 2024
@stevenhorsman
test/e2e: docker: Fix KBS test that doesn't compile
b0cbe27 
As part of the work in confidential-containers#1935, EnableKbsCustomizedPolicy was
replaced with EnableKbsCustomizedResourcePolicy and
EnableKbsCustomizedAttestationPolicy, but the docker tests
wasn't updated, so it doesn't compile, so fix this
@stevenhorsman stevenhorsman mentioned this pull request Aug 12, 2024
Merged
stevenhorsman added a commit to stevenhorsman/cloud-api-adaptor that referenced this pull request Aug 12, 2024
@stevenhorsman
test/e2e: docker: Fix KBS test that doesn't compile
223bc8e 
As part of the work in confidential-containers#1935, EnableKbsCustomizedPolicy was
replaced with EnableKbsCustomizedResourcePolicy and
EnableKbsCustomizedAttestationPolicy, but the docker tests
wasn't updated, so it doesn't compile, so fix this
wainersm pushed a commit to wainersm/cc-cloud-api-adaptor that referenced this pull request Aug 12, 2024
@stevenhorsman @wainersm
test/e2e: docker: Fix KBS test that doesn't compile
b3fe43a 
As part of the work in confidential-containers#1935, EnableKbsCustomizedPolicy was
replaced with EnableKbsCustomizedResourcePolicy and
EnableKbsCustomizedAttestationPolicy, but the docker tests
wasn't updated, so it doesn't compile, so fix this
wainersm pushed a commit to wainersm/cc-cloud-api-adaptor that referenced this pull request Aug 12, 2024
@stevenhorsman @wainersm
test/e2e: docker: Fix KBS test that doesn't compile
f57a8a3 
As part of the work in confidential-containers#1935, EnableKbsCustomizedPolicy was
replaced with EnableKbsCustomizedResourcePolicy and
EnableKbsCustomizedAttestationPolicy, but the docker tests
wasn't updated, so it doesn't compile, so fix this
stevenhorsman added a commit to stevenhorsman/cloud-api-adaptor that referenced this pull request Aug 13, 2024
@stevenhorsman
test/e2e: docker: Fix KBS test that doesn't compile
448ee25 
As part of the work in confidential-containers#1935, EnableKbsCustomizedPolicy was
replaced with EnableKbsCustomizedResourcePolicy and
EnableKbsCustomizedAttestationPolicy, but the docker tests
wasn't updated, so it doesn't compile, so fix this

Signed-off-by: stevenhorsman <[email protected]>
stevenhorsman added a commit that referenced this pull request Aug 13, 2024
@stevenhorsman
test/e2e: docker: Fix KBS test that doesn't compile
f1158cb 
As part of the work in #1935, EnableKbsCustomizedPolicy was
replaced with EnableKbsCustomizedResourcePolicy and
EnableKbsCustomizedAttestationPolicy, but the docker tests
wasn't updated, so it doesn't compile, so fix this

Signed-off-by: stevenhorsman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@genjuro214 genjuro214 genjuro214 approved these changes

@huoqifeng huoqifeng huoqifeng approved these changes

@kartikjoshi21 kartikjoshi21 Awaiting requested review from kartikjoshi21

@mkulke mkulke Awaiting requested review from mkulke

@stevenhorsman stevenhorsman Awaiting requested review from stevenhorsman

@bpradipt bpradipt Awaiting requested review from bpradipt

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

test-e2e: update libvirt test case to support kbs with ibmse verifier.
4 participants
@liudalibj @stevenhorsman @genjuro214 @huoqifeng