KBS: Enable deployment for s390x

The following changes enable KBS deployment with a different configuration for s390x: - Environment variable declaration: SE_SKIP_CERTS_VERIFICATION - Persist volume/volume claim: required attestation credentials This commit differentiates the {overlays, nodeport} configuration for KBS deployment between x86_64 and s390x. It also includes updates to `deploy-kbs.sh`. Signed-off-by: Hyounggyu Choi <[email protected]>
confidential-containers · Jul 1, 2024 · 280b7b8 · 280b7b8
1 parent 53863f0
commit 280b7b8
Show file tree

Hide file tree

Showing 13 changed files with 113 additions and 5 deletions.
diff --git a/kbs/config/kubernetes/deploy-kbs.sh b/kbs/config/kubernetes/deploy-kbs.sh
@@ -6,11 +6,12 @@ set -euo pipefail
 DEPLOYMENT_DIR="${DEPLOYMENT_DIR:-overlays}"
 
 k8s_cnf_dir="$(dirname ${BASH_SOURCE[0]})"
+ARCH=$(uname -m)
 
 # Fail the script if the key.bin file does not exist.
-key_file="${k8s_cnf_dir}/overlays/key.bin"
+key_file="${k8s_cnf_dir}/overlays/${ARCH}/key.bin"
 [[ -f "${key_file}" ]] || {
-    echo "key.bin file does not exist"
+    echo "key.bin not found at ${k8s_cnf_dir}/overlays/${ARCH}/"
     exit 1
 }
 
@@ -21,4 +22,18 @@ kbs_cert="${k8s_cnf_dir}/base/kbs.pem"
     openssl pkey -in "${k8s_cnf_dir}/base/kbs.key" -pubout -out "${kbs_cert}"
 }
 
-kubectl apply -k "./${k8s_cnf_dir}/${DEPLOYMENT_DIR}"
+if [ "${ARCH}" == "s390x" ]; then
+    if [ -n "${IBM_SE_CREDS_DIR:-}" ]; then
+    export NODE_NAME=$(kubectl get nodes -o jsonpath='{.items[0].metadata.name}')
+    envsubst <"${k8s_cnf_dir}/overlays/s390x/pv.yaml" | kubectl apply -f -
+    else
+        echo "IBM_SE_CREDS_DIR is empty" >&2
+        exit 1
+    fi
+fi
+
+if [[ "${DEPLOYMENT_DIR}" == "nodeport" || "${DEPLOYMENT_DIR}" == "overlays" ]]; then
+    kubectl apply -k "${k8s_cnf_dir}/${DEPLOYMENT_DIR}/${ARCH}"
+else
+    kubectl apply -k "${k8s_cnf_dir}/${DEPLOYMENT_DIR}"
+fi
diff --git a/...ig/kubernetes/nodeport/kustomization.yaml → ...ernetes/nodeport/s390x/kustomization.yaml b/...ig/kubernetes/nodeport/kustomization.yaml → ...ernetes/nodeport/s390x/kustomization.yaml
@@ -3,7 +3,7 @@ kind: Kustomization
 namespace: coco-tenant
 
 resources:
-- ../overlays
+- ../../overlays/s390x
 
 patches:
 - path: patch.yaml

diff --git a/kbs/config/kubernetes/nodeport/patch.yaml → ...nfig/kubernetes/nodeport/s390x/patch.yaml b/kbs/config/kubernetes/nodeport/patch.yaml → ...nfig/kubernetes/nodeport/s390x/patch.yaml
diff --git a/kbs/config/kubernetes/nodeport/x86_64/kustomization.yaml b/kbs/config/kubernetes/nodeport/x86_64/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: coco-tenant
+
+resources:
+- ../../overlays/x86_64
+
+patches:
+- path: patch.yaml
+  target:
+    group: ""
+    kind: Service
+    name: kbs
diff --git a/kbs/config/kubernetes/nodeport/x86_64/patch.yaml b/kbs/config/kubernetes/nodeport/x86_64/patch.yaml
@@ -0,0 +1,3 @@
+- op: add
+  path: /spec/type
+  value: NodePort
diff --git a/kbs/config/kubernetes/overlays/ingress.yaml → ...g/kubernetes/overlays/common/ingress.yaml b/kbs/config/kubernetes/overlays/ingress.yaml → ...g/kubernetes/overlays/common/ingress.yaml
diff --git a/kbs/config/kubernetes/overlays/common/kustomization.yaml b/kbs/config/kubernetes/overlays/common/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: coco-tenant
+
+resources:
+- ../../base
diff --git a/kbs/config/kubernetes/overlays/s390x/kustomization.yaml b/kbs/config/kubernetes/overlays/s390x/kustomization.yaml
@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: coco-tenant
+
+resources:
+- ../common
+- pvc.yaml
+
+patches:
+- path: patch.yaml
+  target:
+    kind: Deployment
+    name: kbs
+
+# Store keys that KBS will release to workloads after attestation:
+# kbs:///reponame/workload_key/key.bin
+secretGenerator:
+- files:
+  - key.bin
+  name: keys
diff --git a/kbs/config/kubernetes/overlays/s390x/patch.yaml b/kbs/config/kubernetes/overlays/s390x/patch.yaml
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kbs
+spec:
+  template:
+    spec:
+      containers:
+      - name: kbs
+        env:
+        - name: SE_SKIP_CERTS_VERIFICATION
+          value: "true"
+        volumeMounts:
+        - name: test-local-volume
+          mountPath: /run/confidential-containers/ibmse/
+      volumes:
+      - name: test-local-volume
+        persistentVolumeClaim:
+          claimName: test-local-pvc
diff --git a/kbs/config/kubernetes/overlays/s390x/pv.yaml b/kbs/config/kubernetes/overlays/s390x/pv.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: test-local-pv
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-storage
+  local:
+    path: ${IBM_SE_CREDS_DIR}
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - ${NODE_NAME}
diff --git a/kbs/config/kubernetes/overlays/s390x/pvc.yaml b/kbs/config/kubernetes/overlays/s390x/pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: test-local-pvc
+  namespace: coco-tenant
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-storage
+  resources:
+    requests:
+      storage: 1Gi
diff --git a/...ig/kubernetes/overlays/kustomization.yaml → ...rnetes/overlays/x86_64/kustomization.yaml b/...ig/kubernetes/overlays/kustomization.yaml → ...rnetes/overlays/x86_64/kustomization.yaml
@@ -3,7 +3,7 @@ kind: Kustomization
 namespace: coco-tenant
 
 resources:
-- ../base
+- ../common
 
 patches:
 - path: patch.yaml

diff --git a/kbs/config/kubernetes/overlays/patch.yaml → ...fig/kubernetes/overlays/x86_64/patch.yaml b/kbs/config/kubernetes/overlays/patch.yaml → ...fig/kubernetes/overlays/x86_64/patch.yaml