-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extend virtctl to Support Interactive SEV Attestation #7595
base: main
Are you sure you want to change the base?
Conversation
Hi @Fuzzy-Math. Thanks for your PR. I'm waiting for a kubevirt member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/hold |
f0132f7
to
ca79d71
Compare
ca79d71
to
0091577
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Just added a few minor comments.
pkg/virtctl/sev/attestation.go
Outdated
if pathProvided { | ||
if _, err := file.Write(data); err != nil { | ||
log.Log.Errorf("[SEV] Failed to write certificate chain to %s", outpath) | ||
return fmt.Errorf("Error %s/%s: %v", namespace, vmiName, err) | ||
} | ||
log.Log.Infof("[SEV]Writing platform certificate chain to %s", outpath) | ||
} else { | ||
fmt.Printf("%s\n", string(data)) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the code can be simplified by using https://pkg.go.dev/io/ioutil#WriteFile . That way you will not need the file, err = os.OpenFile(...)
part above. Same applies for the COMMAND_QUERY_MEASUREMENT
case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using WriteFile()
would overwrite the file if it already existed. As designed, I don't allow overwriting existing files and it's a failure condition if the file exists.
d13029c
to
692eb49
Compare
@alicefr thoughts? |
@jean-edouard @iholder-redhat |
Thanks for the FYI! |
pkg/virtctl/sev/attestation.go
Outdated
} | ||
defer file.Close() | ||
|
||
if sevPlatformInfo, err := virtClient.VirtualMachineInstance(namespace).SEVFetchCertChain(vmiName); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd rewrite this as:
sevPlatformInfo, err := virtClient.VirtualMachineInstance(namespace).SEVFetchCertChain(vmiName)
if err != nil {
return fmt.Errorf("Error %s/%s: %v", namespace, vmiName, err)
}
It can avoid one level indentation
pkg/virtctl/sev/attestation.go
Outdated
|
||
case COMMAND_FETCH_CERT_CHAIN: | ||
var file *os.File | ||
pathProvided := outpath != "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you evaluate this statement before the switch as you are repeating it 3 times there?
pkg/virtctl/sev/attestation.go
Outdated
return fmt.Errorf("Error %s/%s: %v", namespace, vmiName, err) | ||
} | ||
} | ||
defer file.Close() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be this placed inside the if pathProvided
as otherwise you don't open the file?Just wondering if you don't get a nil pointer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally for the write and open of the file you could create a function since you are repeating it. It could also help improve the readability of the code
@dhiller: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
#7197 is now merged. I think this PR is also good to go in (after rebase and another review round). |
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
* | ||
* Copyright 2022 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This probably can be updated
if outpath != "" { | ||
file, err := os.OpenFile(outpath, os.O_WRONLY|os.O_CREATE|os.O_EXCL, output_perm) | ||
if err != nil { | ||
return fmt.Errorf(errFmt, namespace, vmiName, outpath, err) | ||
} | ||
defer file.Close() | ||
|
||
_, err = file.Write(data) | ||
if err != nil { | ||
return fmt.Errorf(errFmt, namespace, vmiName, outpath, err) | ||
} | ||
log.Log.Infof(logFmt, outpath) | ||
} else { | ||
fmt.Printf("%s\n", string(data)) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if outpath != "" { | |
file, err := os.OpenFile(outpath, os.O_WRONLY|os.O_CREATE|os.O_EXCL, output_perm) | |
if err != nil { | |
return fmt.Errorf(errFmt, namespace, vmiName, outpath, err) | |
} | |
defer file.Close() | |
_, err = file.Write(data) | |
if err != nil { | |
return fmt.Errorf(errFmt, namespace, vmiName, outpath, err) | |
} | |
log.Log.Infof(logFmt, outpath) | |
} else { | |
fmt.Printf("%s\n", string(data)) | |
} | |
if output == "" { | |
fmt.Printf("%s\n", string(data)) | |
return nil | |
} | |
file, err := os.OpenFile(outpath, os.O_WRONLY|os.O_CREATE|os.O_EXCL, output_perm) | |
if err != nil { | |
return fmt.Errorf(errFmt, namespace, vmiName, outpath, err) | |
} | |
defer file.Close() | |
_, err = file.Write(data) | |
if err != nil { | |
return fmt.Errorf(errFmt, namespace, vmiName, outpath, err) | |
} | |
log.Log.Infof(logFmt, outpath) |
|
||
Describe("The 'setup-session' command", func() { | ||
Context("Creation", func() { | ||
It("should succeed", func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need this test?
Expect(cmd).ToNot(BeNil()) | ||
}) | ||
}) | ||
Context("With no argument", func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about grouping this and the next 3 tests into a table?
}) | ||
}) | ||
Context("With no argument", func() { | ||
It("should fail", func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again, as above, try to group tests that has very similar code into a table
@vasiliy-ul @Fuzzy-Math do we plan to add also functional tests for this? |
/ok-to-test |
I think yes, now it makes sense since the API is in place. |
@Fuzzy-Math I think a run of |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with /lifecycle stale |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with /lifecycle rotten |
Rotten issues close after 30d of inactivity. /close |
@kubevirt-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There's CI support on a periodic base for this here: https://testgrid.k8s.io/kubevirt-periodics#periodic-kubevirt-e2e-k8s-1.26-sev /reopen |
@dhiller: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test pull-kubevirt-e2e-k8s-1.26-sev Let's see how the presubmit goes |
Hey @vasiliy-ul @Fuzzy-Math, are you folks up to picking this up again? |
Hi @dhiller. Thank you for the ping. The PR probably needs a rebase and also some updates to address the comments. Yes, definitely, we will look at it. |
@vasiliy-ul I've converted it back to draft, just to reduce spent CI resources. Reconvert any time when it's ready. |
@Fuzzy-Math: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
What this PR does / why we need it:
This PR extends
virtctl
to support interactive attestation of SEV enabled workloads.The following subcommands have been added:
virtctl sev fetch-cert-chain
virtctl sev setup-session
virtctl sev query-measurement
virtctl sev inject-secret
Special notes for your reviewer:
Release note: