From fead4d8d9ee6661f877d7d828e4921fe70b9f26b Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Wed, 31 Jul 2024 16:29:19 +0200 Subject: [PATCH] e2e-tests: add option to deploy kbs with custom pccs_url TDX attestation requires a pccs_url to be set. we'll introduce a flag CUSTOM_PCCS_URL that will configure kbs to use the it. Signed-off-by: Magnus Kulke --- .github/workflows/azure-e2e-test.yml | 1 + .../test/provisioner/trustee_kbs.go | 23 ++++++++++++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/.github/workflows/azure-e2e-test.yml b/.github/workflows/azure-e2e-test.yml index e101b46ae..54f85ea75 100644 --- a/.github/workflows/azure-e2e-test.yml +++ b/.github/workflows/azure-e2e-test.yml @@ -264,6 +264,7 @@ jobs: env: TEST_PROVISION: "no" DEPLOY_KBS: "yes" + CUSTOM_PCCS_URL: "https://global.acccache.azure.net/sgx/certification/v4" run: | # Since we install the cluster in parallel, we need to get the credentials here. echo "running e2e test for ${{ matrix.parameters.id }} machine" diff --git a/src/cloud-api-adaptor/test/provisioner/trustee_kbs.go b/src/cloud-api-adaptor/test/provisioner/trustee_kbs.go index b0e8024eb..7229fcdca 100644 --- a/src/cloud-api-adaptor/test/provisioner/trustee_kbs.go +++ b/src/cloud-api-adaptor/test/provisioner/trustee_kbs.go @@ -127,6 +127,18 @@ func NewKeyBrokerService(clusterName string, cfg *envconf.Config) (*KeyBrokerSer } + customPCCSURL := os.Getenv("CUSTOM_PCCS_URL") + if customPCCSURL != "" { + log.Info("CUSTOM_PCCS_URL is provided, write custom PCCS config") + configFilePath := filepath.Join(TRUSTEE_REPO_PATH, "/kbs/config/kubernetes/custom_pccs/sgx_default_qcnl.conf") + collateralUrl := "https://api.trustedservices.intel.com/sgx/certification/v4/" + config := fmt.Sprintf(`{ "pccs_url": "%s", "collateral_service": "%s"}`, customPCCSURL, collateralUrl) + err = saveToFile(configFilePath, []byte(config)) + if err != nil { + return nil, err + } + } + // IBM_SE_CREDS_DIR describe at https://github.com/confidential-containers/trustee/blob/main/kbs/config/kubernetes/README.md#deploy-kbs ibmseCredsDir := os.Getenv("IBM_SE_CREDS_DIR") if ibmseCredsDir != "" { @@ -306,7 +318,16 @@ func NewKbsInstallOverlay(installDir string) (InstallOverlay, error) { if err != nil { return nil, err } - overlay, err := NewKustomizeOverlay(filepath.Join(installDir, "kbs/config/kubernetes/nodeport/"+platform)) + + var overlayFolder string + if platform == "x86_64" && os.Getenv("CUSTOM_PCCS_URL") != "" { + log.Info("CUSTOM_PCCS_URL is provided on x86_64, deploy with custom pccs config") + overlayFolder = "kbs/config/kubernetes/custom_pccs" + } else { + overlayFolder = "kbs/config/kubernetes/nodeport/" + platform + } + + overlay, err := NewKustomizeOverlay(filepath.Join(installDir, overlayFolder)) if err != nil { return nil, err }