WIP

confidential-containers · Aug 9, 2024 · 49fe28e · 49fe28e
1 parent f6afaaa
commit 49fe28e
Show file tree

Hide file tree

Showing 8 changed files with 55 additions and 178 deletions.
diff --git a/src/cloud-api-adaptor/test/e2e/common_suite.go b/src/cloud-api-adaptor/test/e2e/common_suite.go
@@ -5,7 +5,6 @@ package e2e
 
 import (
  "bytes"
- "encoding/json"
  "fmt"
  "math/rand"
  "os"
@@ -242,42 +241,13 @@ func DoTestCreatePeerPodWithPVCAndCSIWrapper(t *testing.T, e env.Environment, as
 
 func DoTestCreatePeerPodWithAuthenticatedImageWithValidCredentials(t *testing.T, e env.Environment, assert CloudAssert) {
  randseed := rand.New(rand.NewSource(time.Now().UnixNano()))
- podName := "authenticated-image-valid-" + strconv.Itoa(int(randseed.Uint32())) + "-pod"
+ podName := "authenticated-image-with-creds-" + strconv.Itoa(int(randseed.Uint32())) + "-pod"
  imageName := os.Getenv("AUTHENTICATED_REGISTRY_IMAGE")
  pod := NewPod(E2eNamespace, podName, podName, imageName, WithRestartPolicy(v1.RestartPolicyNever))
  NewTestCase(t, e, "ValidAuthImagePeerPod", assert, "Peer pod with Authenticated Image with Valid Credentials(Default service account) has been created").WithPod(pod).WithCustomPodState(v1.PodRunning).Run()
 }
 
-func DoTestCreatePeerPodWithAuthenticatedImageWithInvalidCredentials(t *testing.T, e env.Environment, assert CloudAssert) {
- registryName := "quay.io"
- if os.Getenv("AUTHENTICATED_REGISTRY_IMAGE") != "" {
- registryName = strings.Split(os.Getenv("AUTHENTICATED_REGISTRY_IMAGE"), "/")[0]
- }
- randseed := rand.New(rand.NewSource(time.Now().UnixNano()))
- podName := "authenticated-image-invalid-" + strconv.Itoa(int(randseed.Uint32())) + "-pod"
- secretName := "auth-json-secret-invalid"
- data := map[string]interface{}{
- "auths": map[string]interface{}{
- registryName: map[string]interface{}{
- "auth": "aW52YWxpZHVzZXJuYW1lOmludmFsaWRwYXNzd29yZAo=",
- },
- },
- }
- jsondata, err := json.MarshalIndent(data, "", " ")
- if err != nil {
- t.Fatal(err)
- }
- if err != nil {
- t.Fatal(err)
- }
- expectedErrorMessage := "invalid username/password: unauthorized: Invalid Username or Password"
- secretData := map[string][]byte{v1.DockerConfigJsonKey: jsondata}
- secret := NewSecret(E2eNamespace, secretName, secretData, v1.SecretTypeDockerConfigJson)
- imageName := os.Getenv("AUTHENTICATED_REGISTRY_IMAGE")
- pod := NewPod(E2eNamespace, podName, podName, imageName, WithRestartPolicy(v1.RestartPolicyNever), WithImagePullSecrets(secretName))
- NewTestCase(t, e, "InvalidAuthImagePeerPod", assert, "Peer pod with Authenticated Image with Invalid Credentials has been created").WithSecret(secret).WithPod(pod).WithExpectedPodDescribe(expectedErrorMessage).WithCustomPodState(v1.PodPending).Run()
-}
-
+// Check that without creds the image can't be pulled to ensure we don't have a false positive in our auth test
 func DoTestCreatePeerPodWithAuthenticatedImageWithoutCredentials(t *testing.T, e env.Environment, assert CloudAssert) {
  randseed := rand.New(rand.NewSource(time.Now().UnixNano()))
  podName := "authenticated-image-without-creds-" + strconv.Itoa(int(randseed.Uint32())) + "-pod"

diff --git a/src/cloud-api-adaptor/test/e2e/docker_test.go b/src/cloud-api-adaptor/test/e2e/docker_test.go
@@ -110,29 +110,20 @@ func TestDockerKbsKeyRelease(t *testing.T) {
  DoTestKbsKeyRelease(t, testEnv, assert)
 }
 
-func TestDockerCreatePeerPodWithAuthenticatedImageWithValidCredentials(t *testing.T) {
+func TestDockerCreatePeerPodWithAuthenticatedImageWithoutCredentials(t *testing.T) {
  assert := DockerAssert{}
- if os.Getenv("REGISTRY_CREDENTIAL_ENCODED") != "" && os.Getenv("AUTHENTICATED_REGISTRY_IMAGE") != "" {
- DoTestCreatePeerPodWithAuthenticatedImageWithValidCredentials(t, testEnv, assert)
+ if os.Getenv("AUTHENTICATED_REGISTRY_IMAGE") != "" {
+ DoTestCreatePeerPodWithAuthenticatedImageWithoutCredentials(t, testEnv, assert)
  } else {
- t.Skip("Registry Credentials, or authenticated image name not exported")
+ t.Skip("Authenticated Image Name not exported")
  }
 }
 
-func TestDockerCreatePeerPodWithAuthenticatedImageWithInvalidCredentials(t *testing.T) {
+func TestDockerCreatePeerPodWithAuthenticatedImageWithValidCredentials(t *testing.T) {
  assert := DockerAssert{}
  if os.Getenv("REGISTRY_CREDENTIAL_ENCODED") != "" && os.Getenv("AUTHENTICATED_REGISTRY_IMAGE") != "" {
- DoTestCreatePeerPodWithAuthenticatedImageWithInvalidCredentials(t, testEnv, assert)
- } else {
- t.Skip("Registry Credentials not exported")
- }
-}
-
-func TestDockerCreatePeerPodWithAuthenticatedImageWithoutCredentials(t *testing.T) {
- assert := DockerAssert{}
- if os.Getenv("AUTHENTICATED_REGISTRY_IMAGE") != "" {
- DoTestCreatePeerPodWithAuthenticatedImageWithoutCredentials(t, testEnv, assert)
+ DoTestCreatePeerPodWithAuthenticatedImageWithValidCredentials(t, testEnv, assert)
  } else {
- t.Skip("Authenticated Image Name not exported")
+ t.Skip("Registry Credentials, or authenticated image name not exported")
  }
 }
diff --git a/src/cloud-api-adaptor/test/e2e/ibmcloud_test.go b/src/cloud-api-adaptor/test/e2e/ibmcloud_test.go
@@ -154,17 +154,6 @@ func TestCreatePeerPodWithAuthenticatedImageWithValidCredentials(t *testing.T) {
  }
 }
 
-func TestCreatePeerPodWithAuthenticatedImageWithInvalidCredentials(t *testing.T) {
- assert := IBMCloudAssert{
- VPC: pv.IBMCloudProps.VPC,
- }
- if os.Getenv("REGISTRY_CREDENTIAL_ENCODED") != "" && os.Getenv("AUTHENTICATED_REGISTRY_IMAGE") != "" {
- DoTestCreatePeerPodWithAuthenticatedImageWithInvalidCredentials(t, testEnv, assert)
- } else {
- t.Skip("Registry Credentials not exported")
- }
-}
-
 func TestCreatePeerPodWithAuthenticatedImageWithoutCredentials(t *testing.T) {
  assert := IBMCloudAssert{
  VPC: pv.IBMCloudProps.VPC,

diff --git a/src/cloud-api-adaptor/test/e2e/libvirt_test.go b/src/cloud-api-adaptor/test/e2e/libvirt_test.go
@@ -140,29 +140,20 @@ func TestLibvirtPermissivePolicyAllowsExec(t *testing.T) {
  DoTestPermissivePolicyAllowsExec(t, testEnv, assert)
 }
 
-func TestLibvirtCreatePeerPodWithAuthenticatedImageWithValidCredentials(t *testing.T) {
+func TestLibvirtCreatePeerPodWithAuthenticatedImageWithoutCredentials(t *testing.T) {
  assert := LibvirtAssert{}
- if os.Getenv("REGISTRY_CREDENTIAL_ENCODED") != "" && os.Getenv("AUTHENTICATED_REGISTRY_IMAGE") != "" {
- DoTestCreatePeerPodWithAuthenticatedImageWithValidCredentials(t, testEnv, assert)
+ if os.Getenv("AUTHENTICATED_REGISTRY_IMAGE") != "" {
+ DoTestCreatePeerPodWithAuthenticatedImageWithoutCredentials(t, testEnv, assert)
  } else {
- t.Skip("Registry Credentials, or authenticated image name not exported")
+ t.Skip("Authenticated Image Name not exported")
  }
 }
 
-func TestLibvirtCreatePeerPodWithAuthenticatedImageWithInvalidCredentials(t *testing.T) {
+func TestLibvirtCreatePeerPodWithAuthenticatedImageWithValidCredentials(t *testing.T) {
  assert := LibvirtAssert{}
  if os.Getenv("REGISTRY_CREDENTIAL_ENCODED") != "" && os.Getenv("AUTHENTICATED_REGISTRY_IMAGE") != "" {
- DoTestCreatePeerPodWithAuthenticatedImageWithInvalidCredentials(t, testEnv, assert)
- } else {
- t.Skip("Registry Credentials not exported")
- }
-}
-
-func TestLibvirtCreatePeerPodWithAuthenticatedImageWithoutCredentials(t *testing.T) {
- assert := LibvirtAssert{}
- if os.Getenv("AUTHENTICATED_REGISTRY_IMAGE") != "" {
- DoTestCreatePeerPodWithAuthenticatedImageWithoutCredentials(t, testEnv, assert)
+ DoTestCreatePeerPodWithAuthenticatedImageWithValidCredentials(t, testEnv, assert)
  } else {
- t.Skip("Authenticated Image Name not exported")
+ t.Skip("Registry Credentials, or authenticated image name not exported")
  }
 }
diff --git a/src/cloud-api-adaptor/test/provisioner/docker/provision_common.go b/src/cloud-api-adaptor/test/provisioner/docker/provision_common.go
@@ -5,9 +5,7 @@ package docker
 
 import (
  "context"
- "encoding/json"
  "fmt"
- "strings"
 
  "os"
  "os/exec"
@@ -17,8 +15,6 @@ import (
  "github.com/containerd/containerd/reference"
  "github.com/docker/docker/client"
  log "github.com/sirupsen/logrus"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- "k8s.io/client-go/kubernetes"
 
  "sigs.k8s.io/e2e-framework/pkg/envconf"
 )
@@ -261,46 +257,8 @@ func (lio *DockerInstallOverlay) Edit(ctx context.Context, cfg *envconf.Config,
  }
  }
 
- //TODO refactor with ibmcloud
- if os.Getenv("REGISTRY_CREDENTIAL_ENCODED") != "" {
- registryName := "quay.io"
- client, err := cfg.NewClient()
- if err != nil {
- return err
- }
- clientSet, err := kubernetes.NewForConfig(client.RESTConfig())
- if err != nil {
- return err
- }
- _, err = clientSet.CoreV1().Secrets("confidential-containers-system").Get(ctx, "auth-json-secret", metav1.GetOptions{})
- if err == nil {
- log.Info("Deleting pre-existing auth-json-secret...")
- err = clientSet.CoreV1().Secrets("confidential-containers-system").Delete(ctx, "auth-json-secret", metav1.DeleteOptions{})
- if err != nil {
- return err
- }
- }
- if os.Getenv("AUTHENTICATED_REGISTRY_IMAGE") != "" {
- registryName = strings.Split(os.Getenv("AUTHENTICATED_REGISTRY_IMAGE"), "/")[0]
- }
- log.Info("Setting up auth.json")
- data := map[string]interface{}{
- "auths": map[string]interface{}{
- registryName: map[string]interface{}{
- "auth": os.Getenv("REGISTRY_CREDENTIAL_ENCODED"),
- },
- },
- }
- jsondata, err := json.MarshalIndent(data, "", " ")
- if err != nil {
- return err
- }
- if err := os.WriteFile(filepath.Join(lio.Overlay.ConfigDir, "auth.json"), jsondata, 0644); err != nil {
- return err
- }
- if err = lio.Overlay.SetKustomizeSecretGeneratorFile("auth-json-secret", "auth.json"); err != nil {
- return err
- }
+ if err := lio.Overlay.SetAuthJsonSecretIfApplicable(); err != nil {
+ return err
  }
 
  if err := lio.Overlay.YamlReload(); err != nil {

diff --git a/src/cloud-api-adaptor/test/provisioner/ibmcloud/provision_kustomize.go b/src/cloud-api-adaptor/test/provisioner/ibmcloud/provision_kustomize.go
@@ -8,17 +8,23 @@ import (
  "encoding/json"
  "io"
  "net/http"
- "os"
  "path/filepath"
  "strings"
 
  pv "github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/test/provisioner"
  log "github.com/sirupsen/logrus"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- "k8s.io/client-go/kubernetes"
  "sigs.k8s.io/e2e-framework/pkg/envconf"
 )
 
+// TODO - refactor into common
+const authJSONTemplate string = `{
+ "auths": {
+ "quay.io": {
+ "auth": "%s"
+ }
+ }
+}`
+
 // IBMCloudInstallOverlay implements the InstallOverlay interface
 type IBMCloudInstallOverlay struct {
  Overlay *pv.KustomizeOverlay
@@ -167,46 +173,11 @@ func (lio *IBMCloudInstallOverlay) Edit(ctx context.Context, cfg *envconf.Config
  }
  }
  }
- if os.Getenv("REGISTRY_CREDENTIAL_ENCODED") != "" {
- registryName := "quay.io"
- client, err := cfg.NewClient()
- if err != nil {
- return err
- }
- clientSet, err := kubernetes.NewForConfig(client.RESTConfig())
- if err != nil {
- return err
- }
- _, err = clientSet.CoreV1().Secrets("confidential-containers-system").Get(ctx, "auth-json-secret", metav1.GetOptions{})
- if err == nil {
- log.Info("Deleting pre-existing auth-json-secret...")
- err = clientSet.CoreV1().Secrets("confidential-containers-system").Delete(ctx, "auth-json-secret", metav1.DeleteOptions{})
- if err != nil {
- return err
- }
- }
- if os.Getenv("AUTHENTICATED_REGISTRY_IMAGE") != "" {
- registryName = strings.Split(os.Getenv("AUTHENTICATED_REGISTRY_IMAGE"), "/")[0]
- }
- log.Info("Setting up auth.json")
- data := map[string]interface{}{
- "auths": map[string]interface{}{
- registryName: map[string]interface{}{
- "auth": os.Getenv("REGISTRY_CREDENTIAL_ENCODED"),
- },
- },
- }
- jsondata, err := json.MarshalIndent(data, "", " ")
- if err != nil {
- return err
- }
- if err := os.WriteFile(filepath.Join(lio.Overlay.ConfigDir, "auth.json"), jsondata, 0644); err != nil {
- return err
- }
- if err = lio.Overlay.SetKustomizeSecretGeneratorFile("auth-json-secret", "auth.json"); err != nil {
- return err
- }
+
+ if err = lio.Overlay.SetAuthJsonSecretIfApplicable(); err != nil {
+ return err
  }
+
  if err = lio.Overlay.YamlReload(); err != nil {
  return err
  }

diff --git a/src/cloud-api-adaptor/test/provisioner/kustomize.go b/src/cloud-api-adaptor/test/provisioner/kustomize.go
@@ -5,6 +5,7 @@ import (
  "context"
  "fmt"
  "os"
+ "path/filepath"
  "strings"
 
  "golang.org/x/exp/slices"
@@ -378,3 +379,24 @@ func setSecretGeneratorLiteral(k *ktypes.Kustomization, secretName string, key s
 
  return nil
 }
+
+func (kh *KustomizeOverlay) SetAuthJsonSecretIfApplicable() error {
+ if cred := os.Getenv("REGISTRY_CREDENTIAL_ENCODED"); cred != "" {
+ registryName := strings.Split(os.Getenv("AUTHENTICATED_REGISTRY_IMAGE"), "/")[0]
+ template := `{
+ "auths": {
+ "%s": {
+ "auth": "%s"
+ }
+ }
+ }`
+ authJSON := fmt.Sprintf(template, registryName, cred)
+ if err := os.WriteFile(filepath.Join(kh.ConfigDir, "auth.json"), []byte(authJSON), 0644); err != nil {
+ return err
+ }
+ if err := kh.SetKustomizeSecretGeneratorFile("auth-json-secret", "auth.json"); err != nil {
+ return err
+ }
+ }
+ return nil
+}
diff --git a/src/cloud-api-adaptor/test/provisioner/libvirt/provision_common.go b/src/cloud-api-adaptor/test/provisioner/libvirt/provision_common.go
@@ -19,14 +19,6 @@ import (
  "sigs.k8s.io/e2e-framework/pkg/envconf"
 )
 
-const authJSONTemplate string = `{
- "auths": {
- "quay.io": {
- "auth": "%s"
- }
- }
-}`
-
 // LibvirtProvisioner implements the CloudProvisioner interface for Libvirt.
 type LibvirtProvisioner struct {
  conn *libvirt.Connect // Libvirt connection
@@ -345,15 +337,8 @@ func (lio *LibvirtInstallOverlay) Edit(ctx context.Context, cfg *envconf.Config,
  }
  }
 
- // TODO - refactor with Ibm cloud
- if cred := os.Getenv("REGISTRY_CREDENTIAL_ENCODED"); cred != "" {
- authJSON := fmt.Sprintf(authJSONTemplate, cred)
- if err := os.WriteFile(filepath.Join(lio.Overlay.ConfigDir, "auth.json"), []byte(authJSON), 0644); err != nil {
- return err
- }
- if err = lio.Overlay.SetKustomizeSecretGeneratorFile("auth-json-secret", "auth.json"); err != nil {
- return err
- }
+ if err = lio.Overlay.SetAuthJsonSecretIfApplicable(); err != nil {
+ return err
  }
 
  if err = lio.Overlay.YamlReload(); err != nil {