From 280b7b8b43aefef47be043dd2679fd4dda13a07a Mon Sep 17 00:00:00 2001
From: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
Date: Mon, 1 Jul 2024 14:20:16 +0200
Subject: [PATCH] KBS: Enable deployment for s390x

The following changes enable KBS deployment with a different configuration for s390x:

- Environment variable declaration: SE_SKIP_CERTS_VERIFICATION
- Persist volume/volume claim: required attestation credentials

This commit differentiates the {overlays, nodeport} configuration for KBS deployment
between x86_64 and s390x. It also includes updates to `deploy-kbs.sh`.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
---
 kbs/config/kubernetes/deploy-kbs.sh           | 21 ++++++++++++++++---
 .../nodeport/{ => s390x}/kustomization.yaml   |  2 +-
 .../nodeport/{ => s390x}/patch.yaml           |  0
 .../nodeport/x86_64/kustomization.yaml        | 13 ++++++++++++
 .../kubernetes/nodeport/x86_64/patch.yaml     |  3 +++
 .../overlays/{ => common}/ingress.yaml        |  0
 .../overlays/common/kustomization.yaml        |  6 ++++++
 .../overlays/s390x/kustomization.yaml         | 20 ++++++++++++++++++
 .../kubernetes/overlays/s390x/patch.yaml      | 19 +++++++++++++++++
 kbs/config/kubernetes/overlays/s390x/pv.yaml  | 20 ++++++++++++++++++
 kbs/config/kubernetes/overlays/s390x/pvc.yaml | 12 +++++++++++
 .../overlays/{ => x86_64}/kustomization.yaml  |  2 +-
 .../overlays/{ => x86_64}/patch.yaml          |  0
 13 files changed, 113 insertions(+), 5 deletions(-)
 rename kbs/config/kubernetes/nodeport/{ => s390x}/kustomization.yaml (88%)
 rename kbs/config/kubernetes/nodeport/{ => s390x}/patch.yaml (100%)
 create mode 100644 kbs/config/kubernetes/nodeport/x86_64/kustomization.yaml
 create mode 100644 kbs/config/kubernetes/nodeport/x86_64/patch.yaml
 rename kbs/config/kubernetes/overlays/{ => common}/ingress.yaml (100%)
 create mode 100644 kbs/config/kubernetes/overlays/common/kustomization.yaml
 create mode 100644 kbs/config/kubernetes/overlays/s390x/kustomization.yaml
 create mode 100644 kbs/config/kubernetes/overlays/s390x/patch.yaml
 create mode 100644 kbs/config/kubernetes/overlays/s390x/pv.yaml
 create mode 100644 kbs/config/kubernetes/overlays/s390x/pvc.yaml
 rename kbs/config/kubernetes/overlays/{ => x86_64}/kustomization.yaml (96%)
 rename kbs/config/kubernetes/overlays/{ => x86_64}/patch.yaml (100%)

diff --git a/kbs/config/kubernetes/deploy-kbs.sh b/kbs/config/kubernetes/deploy-kbs.sh
index a3e9c3a318..c19b51d0d7 100755
--- a/kbs/config/kubernetes/deploy-kbs.sh
+++ b/kbs/config/kubernetes/deploy-kbs.sh
@@ -6,11 +6,12 @@ set -euo pipefail
 DEPLOYMENT_DIR="${DEPLOYMENT_DIR:-overlays}"
 
 k8s_cnf_dir="$(dirname ${BASH_SOURCE[0]})"
+ARCH=$(uname -m)
 
 # Fail the script if the key.bin file does not exist.
-key_file="${k8s_cnf_dir}/overlays/key.bin"
+key_file="${k8s_cnf_dir}/overlays/${ARCH}/key.bin"
 [[ -f "${key_file}" ]] || {
-    echo "key.bin file does not exist"
+    echo "key.bin not found at ${k8s_cnf_dir}/overlays/${ARCH}/"
     exit 1
 }
 
@@ -21,4 +22,18 @@ kbs_cert="${k8s_cnf_dir}/base/kbs.pem"
     openssl pkey -in "${k8s_cnf_dir}/base/kbs.key" -pubout -out "${kbs_cert}"
 }
 
-kubectl apply -k "./${k8s_cnf_dir}/${DEPLOYMENT_DIR}"
+if [ "${ARCH}" == "s390x" ]; then
+    if [ -n "${IBM_SE_CREDS_DIR:-}" ]; then
+    export NODE_NAME=$(kubectl get nodes -o jsonpath='{.items[0].metadata.name}')
+    envsubst <"${k8s_cnf_dir}/overlays/s390x/pv.yaml" | kubectl apply -f -
+    else
+        echo "IBM_SE_CREDS_DIR is empty" >&2
+        exit 1
+    fi
+fi
+
+if [[ "${DEPLOYMENT_DIR}" == "nodeport" || "${DEPLOYMENT_DIR}" == "overlays" ]]; then
+    kubectl apply -k "${k8s_cnf_dir}/${DEPLOYMENT_DIR}/${ARCH}"
+else
+    kubectl apply -k "${k8s_cnf_dir}/${DEPLOYMENT_DIR}"
+fi
diff --git a/kbs/config/kubernetes/nodeport/kustomization.yaml b/kbs/config/kubernetes/nodeport/s390x/kustomization.yaml
similarity index 88%
rename from kbs/config/kubernetes/nodeport/kustomization.yaml
rename to kbs/config/kubernetes/nodeport/s390x/kustomization.yaml
index 38bcc74a19..28a4fedb59 100644
--- a/kbs/config/kubernetes/nodeport/kustomization.yaml
+++ b/kbs/config/kubernetes/nodeport/s390x/kustomization.yaml
@@ -3,7 +3,7 @@ kind: Kustomization
 namespace: coco-tenant
 
 resources:
-- ../overlays
+- ../../overlays/s390x
 
 patches:
 - path: patch.yaml
diff --git a/kbs/config/kubernetes/nodeport/patch.yaml b/kbs/config/kubernetes/nodeport/s390x/patch.yaml
similarity index 100%
rename from kbs/config/kubernetes/nodeport/patch.yaml
rename to kbs/config/kubernetes/nodeport/s390x/patch.yaml
diff --git a/kbs/config/kubernetes/nodeport/x86_64/kustomization.yaml b/kbs/config/kubernetes/nodeport/x86_64/kustomization.yaml
new file mode 100644
index 0000000000..3f844547fe
--- /dev/null
+++ b/kbs/config/kubernetes/nodeport/x86_64/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: coco-tenant
+
+resources:
+- ../../overlays/x86_64
+
+patches:
+- path: patch.yaml
+  target:
+    group: ""
+    kind: Service
+    name: kbs
diff --git a/kbs/config/kubernetes/nodeport/x86_64/patch.yaml b/kbs/config/kubernetes/nodeport/x86_64/patch.yaml
new file mode 100644
index 0000000000..aed089ccc4
--- /dev/null
+++ b/kbs/config/kubernetes/nodeport/x86_64/patch.yaml
@@ -0,0 +1,3 @@
+- op: add
+  path: /spec/type
+  value: NodePort
diff --git a/kbs/config/kubernetes/overlays/ingress.yaml b/kbs/config/kubernetes/overlays/common/ingress.yaml
similarity index 100%
rename from kbs/config/kubernetes/overlays/ingress.yaml
rename to kbs/config/kubernetes/overlays/common/ingress.yaml
diff --git a/kbs/config/kubernetes/overlays/common/kustomization.yaml b/kbs/config/kubernetes/overlays/common/kustomization.yaml
new file mode 100644
index 0000000000..84ababaf4a
--- /dev/null
+++ b/kbs/config/kubernetes/overlays/common/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: coco-tenant
+
+resources:
+- ../../base
diff --git a/kbs/config/kubernetes/overlays/s390x/kustomization.yaml b/kbs/config/kubernetes/overlays/s390x/kustomization.yaml
new file mode 100644
index 0000000000..24a3a1d92a
--- /dev/null
+++ b/kbs/config/kubernetes/overlays/s390x/kustomization.yaml
@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: coco-tenant
+
+resources:
+- ../common
+- pvc.yaml
+
+patches:
+- path: patch.yaml
+  target:
+    kind: Deployment
+    name: kbs
+
+# Store keys that KBS will release to workloads after attestation:
+# kbs:///reponame/workload_key/key.bin
+secretGenerator:
+- files:
+  - key.bin
+  name: keys
diff --git a/kbs/config/kubernetes/overlays/s390x/patch.yaml b/kbs/config/kubernetes/overlays/s390x/patch.yaml
new file mode 100644
index 0000000000..3d7c23e6a0
--- /dev/null
+++ b/kbs/config/kubernetes/overlays/s390x/patch.yaml
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kbs
+spec:
+  template:
+    spec:
+      containers:
+      - name: kbs
+        env:
+        - name: SE_SKIP_CERTS_VERIFICATION
+          value: "true"
+        volumeMounts:
+        - name: test-local-volume
+          mountPath: /run/confidential-containers/ibmse/
+      volumes:
+      - name: test-local-volume
+        persistentVolumeClaim:
+          claimName: test-local-pvc
diff --git a/kbs/config/kubernetes/overlays/s390x/pv.yaml b/kbs/config/kubernetes/overlays/s390x/pv.yaml
new file mode 100644
index 0000000000..266f75c193
--- /dev/null
+++ b/kbs/config/kubernetes/overlays/s390x/pv.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: test-local-pv
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-storage
+  local:
+    path: ${IBM_SE_CREDS_DIR}
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - ${NODE_NAME}
diff --git a/kbs/config/kubernetes/overlays/s390x/pvc.yaml b/kbs/config/kubernetes/overlays/s390x/pvc.yaml
new file mode 100644
index 0000000000..18f86b16ae
--- /dev/null
+++ b/kbs/config/kubernetes/overlays/s390x/pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: test-local-pvc
+  namespace: coco-tenant
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-storage
+  resources:
+    requests:
+      storage: 1Gi
diff --git a/kbs/config/kubernetes/overlays/kustomization.yaml b/kbs/config/kubernetes/overlays/x86_64/kustomization.yaml
similarity index 96%
rename from kbs/config/kubernetes/overlays/kustomization.yaml
rename to kbs/config/kubernetes/overlays/x86_64/kustomization.yaml
index 87e40e92c6..9b162df589 100644
--- a/kbs/config/kubernetes/overlays/kustomization.yaml
+++ b/kbs/config/kubernetes/overlays/x86_64/kustomization.yaml
@@ -3,7 +3,7 @@ kind: Kustomization
 namespace: coco-tenant
 
 resources:
-- ../base
+- ../common
 
 patches:
 - path: patch.yaml
diff --git a/kbs/config/kubernetes/overlays/patch.yaml b/kbs/config/kubernetes/overlays/x86_64/patch.yaml
similarity index 100%
rename from kbs/config/kubernetes/overlays/patch.yaml
rename to kbs/config/kubernetes/overlays/x86_64/patch.yaml