gha: k8s: prepare AKS workflow to install the CoCo KBS

Changed the "run k8s tests on AKS" workflows to get the CoCo KBS installed so that we can run attestation tests. The plan is to run attestation tests only on a subset of non-TEE jobs initially, so this commit restricts to install KBS only on kata-qemu configuration. Actually at this point it is added only stubs commands to tests/integration/kubernetes/gha-run.sh that should be implemented in a future commit. Fixes #9058 Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
kata-containers · Feb 27, 2024 · 2f40279 · 2f40279
1 parent bb5e33b
commit 2f40279
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/.github/workflows/run-k8s-tests-on-aks.yaml b/.github/workflows/run-k8s-tests-on-aks.yaml
@@ -52,6 +52,10 @@ jobs:
       GH_PR_NUMBER: ${{ inputs.pr-number }}
       KATA_HOST_OS: ${{ matrix.host_os }}
       KATA_HYPERVISOR: ${{ matrix.vmm }}
+      # Set to install the KBS for attestation tests
+      KBS: ${{ (matrix.vmm == 'qemu' && matrix.host_os == 'ubuntu') && 'true' || 'false' }}
+      # Set the KBS ingress handler (empty string disables handling)
+      KBS_INGRESS: "aks"
       KUBERNETES: "vanilla"
       USING_NFD: "false"
       K8S_TEST_HOST_TYPE: ${{ matrix.instance-type }}
@@ -103,7 +107,12 @@ jobs:
       - name: Deploy Kata
         timeout-minutes: 10
         run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks
-
+
+      - name: Deploy CoCo KBS
+        if: env.KBS == 'true'
+        timeout-minutes: 5
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
+
       - name: Run tests
         timeout-minutes: 60
         run: bash tests/integration/kubernetes/gha-run.sh run-tests

diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh
@@ -23,6 +23,8 @@ DOCKER_TAG=${DOCKER_TAG:-kata-containers-latest}
 KATA_DEPLOY_WAIT_TIMEOUT=${KATA_DEPLOY_WAIT_TIMEOUT:-10m}
 SNAPSHOTTER_DEPLOY_WAIT_TIMEOUT=${SNAPSHOTTER_DEPLOY_WAIT_TIMEOUT:-8m}
 KATA_HYPERVISOR=${KATA_HYPERVISOR:-qemu}
+KBS=${KBS:-false}
+KBS_INGRESS=${KBS_INGRESS:-}
 KUBERNETES="${KUBERNETES:-}"
 SNAPSHOTTER="${SNAPSHOTTER:-}"
 export AUTO_GENERATE_POLICY="${AUTO_GENERATE_POLICY:-no}"
@@ -103,6 +105,10 @@ function configure_snapshotter() {
 	echo "::endgroup::"
 }
 
+function deploy_coco_kbs() {
+	echo "TODO: deploy https://github.com/confidential-containers/kbs"
+}
+
 function deploy_kata() {
 	platform="${1}"
 	ensure_yq
@@ -354,6 +360,7 @@ function main() {
 		create-cluster-kcli) create_cluster_kcli ;;
 		configure-snapshotter) configure_snapshotter ;;
 		setup-crio) setup_crio ;;
+		deploy-coco-kbs) deploy_coco_kbs ;;
 		deploy-k8s) deploy_k8s ;;
 		install-bats) install_bats ;;
 		install-kata-tools) install_kata_tools ;;