node-installer: test template patching

edgelesssys · Jul 16, 2024 · fb276a5 · fb276a5
1 parent d41318e
commit fb276a5
Show file tree

Hide file tree

Showing 3 changed files with 214 additions and 8 deletions.
diff --git a/node-installer/node-installer_test.go b/node-installer/node-installer_test.go
@@ -10,38 +10,46 @@ import (
 
 	_ "embed"
 
+	"github.com/edgelesssys/contrast/node-installer/internal/constants"
 	"github.com/edgelesssys/contrast/node-installer/platforms"
+	"github.com/pelletier/go-toml/v2"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
 var (
 	//go:embed testdata/expected-aks-clh-snp.toml
 	expectedConfAKSCLHSNP []byte
-
 	//go:embed testdata/expected-bare-metal-qemu-tdx.toml
 	expectedConfBareMetalQEMUTDX []byte
+	//go:embed testdata/expected-bare-metal-qemu-tdx.toml.tmpl
+	expectedConfTmplBareMetalQEMUTDX []byte
 	//go:embed testdata/expected-bare-metal-qemu-snp.toml
 	expectedConfBareMetalQEMUSNP []byte
+	//go:embed testdata/expected-bare-metal-qemu-snp.toml.tmpl
+	expectedConfTmplBareMetalQEMUSNP []byte
 )
 
 func TestPatchContainerdConfig(t *testing.T) {
 	testCases := map[string]struct {
-		platform platforms.Platform
-		expected []byte
-		wantErr  bool
+		platform         platforms.Platform
+		expected         []byte
+		expectedTemplate []byte
+		wantErr          bool
 	}{
 		"AKSCLHSNP": {
 			platform: platforms.AKSCloudHypervisorSNP,
 			expected: expectedConfAKSCLHSNP,
 		},
 		"BareMetalQEMUTDX": {
-			platform: platforms.K3sQEMUTDX,
-			expected: expectedConfBareMetalQEMUTDX,
+			platform:         platforms.K3sQEMUTDX,
+			expected:         expectedConfBareMetalQEMUTDX,
+			expectedTemplate: expectedConfTmplBareMetalQEMUTDX,
 		},
 		"BareMetalQEMUSNP": {
-			platform: platforms.K3sQEMUSNP,
-			expected: expectedConfBareMetalQEMUSNP,
+			platform:         platforms.K3sQEMUSNP,
+			expected:         expectedConfBareMetalQEMUSNP,
+			expectedTemplate: expectedConfTmplBareMetalQEMUSNP,
 		},
 		"Unknown": {
 			platform: platforms.Unknown,
@@ -60,6 +68,8 @@ func TestPatchContainerdConfig(t *testing.T) {
 
 			configPath := filepath.Join(tmpDir, "config.toml")
 
+			// Testing patching a config.
+
 			err = patchContainerdConfig("my-runtime", "/opt/edgeless/my-runtime",
 				configPath, tc.platform)
 			if tc.wantErr {
@@ -71,6 +81,44 @@ func TestPatchContainerdConfig(t *testing.T) {
 			configData, err := os.ReadFile(configPath)
 			require.NoError(err)
 			assert.Equal(string(tc.expected), string(configData))
+
+			if tc.expectedTemplate != nil {
+				// Unlike patchContainerdConfig, patchContainerdConfigTemplate
+				// requires the file to exist already. Create one.
+				configTemplatePath := filepath.Join(tmpDir, "config.toml.tmpl")
+				rawConfig, err := toml.Marshal(constants.ContainerdBaseConfig())
+				require.NoError(err)
+				err = os.WriteFile(configTemplatePath, rawConfig, os.ModePerm)
+				require.NoError(err)
+
+				// Testing patching a config template.
+
+				err = patchContainerdConfigTemplate("my-runtime", "/opt/edgeless/my-runtime",
+					configTemplatePath, tc.platform)
+				if tc.wantErr {
+					require.Error(err)
+					return
+				}
+				require.NoError(err)
+
+				configData, err = os.ReadFile(configTemplatePath)
+				require.NoError(err)
+				assert.Equal(string(tc.expectedTemplate), string(configData))
+
+				// Test that patching the same template twice doesn't change it.
+
+				err = patchContainerdConfigTemplate("my-runtime", "/opt/edgeless/my-runtime",
+					configTemplatePath, tc.platform)
+				if tc.wantErr {
+					require.Error(err)
+					return
+				}
+				require.NoError(err)
+
+				configData, err = os.ReadFile(configTemplatePath)
+				require.NoError(err)
+				assert.Equal(string(tc.expectedTemplate), string(configData))
+			}
 		})
 	}
 }
diff --git a/node-installer/testdata/expected-bare-metal-qemu-snp.toml.tmpl b/node-installer/testdata/expected-bare-metal-qemu-snp.toml.tmpl
@@ -0,0 +1,79 @@
+version = 2
+root = ''
+state = ''
+temp = ''
+plugin_dir = ''
+disabled_plugins = []
+required_plugins = []
+oom_score = 0
+imports = []
+
+[metrics]
+address = '0.0.0.0:10257'
+
+[plugins]
+[plugins.'io.containerd.grpc.v1.cri']
+sandbox_image = 'mcr.microsoft.com/oss/kubernetes/pause:3.6'
+
+[plugins.'io.containerd.grpc.v1.cri'.cni]
+bin_dir = '/opt/cni/bin'
+conf_dir = '/etc/cni/net.d'
+conf_template = '/etc/containerd/kubenet_template.conf'
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd]
+default_runtime_name = 'runc'
+disable_snapshot_annotations = false
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes]
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.kata]
+runtime_type = 'io.containerd.kata.v2'
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.kata-cc]
+pod_annotations = ['io.katacontainers.*']
+privileged_without_host_devices = true
+runtime_type = 'io.containerd.kata-cc.v2'
+snapshotter = 'tardev'
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.kata-cc.options]
+ConfigPath = '/opt/confidential-containers/share/defaults/kata-containers/configuration-clh-snp.toml'
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.katacli]
+runtime_type = 'io.containerd.runc.v1'
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.katacli.options]
+BinaryName = '/usr/bin/kata-runtime'
+CriuPath = ''
+IoGid = 0
+IoUid = 0
+NoNewKeyring = false
+NoPivotRoot = false
+Root = ''
+ShimCgroup = ''
+SystemdCgroup = false
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.runc]
+runtime_type = 'io.containerd.runc.v2'
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.runc.options]
+BinaryName = '/usr/bin/runc'
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.untrusted]
+runtime_type = 'io.containerd.runc.v2'
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.untrusted.options]
+BinaryName = '/usr/bin/runc'
+
+[plugins.'io.containerd.grpc.v1.cri'.registry]
+config_path = '/etc/containerd/certs.d'
+
+[plugins.'io.containerd.grpc.v1.cri'.registry.headers]
+X-Meta-Source-Client = ['azure/aks']
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.my-runtime]
+runtime_type = 'io.containerd.contrast-cc.v2'
+runtime_path = '/opt/edgeless/my-runtime/bin/containerd-shim-contrast-cc-v2'
+pod_annotations = ['io.katacontainers.*']
+privileged_without_host_devices = true
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.my-runtime.options]
+ConfigPath = '/opt/edgeless/my-runtime/etc/configuration-qemu-snp.toml'
diff --git a/node-installer/testdata/expected-bare-metal-qemu-tdx.toml.tmpl b/node-installer/testdata/expected-bare-metal-qemu-tdx.toml.tmpl
@@ -0,0 +1,79 @@
+version = 2
+root = ''
+state = ''
+temp = ''
+plugin_dir = ''
+disabled_plugins = []
+required_plugins = []
+oom_score = 0
+imports = []
+
+[metrics]
+address = '0.0.0.0:10257'
+
+[plugins]
+[plugins.'io.containerd.grpc.v1.cri']
+sandbox_image = 'mcr.microsoft.com/oss/kubernetes/pause:3.6'
+
+[plugins.'io.containerd.grpc.v1.cri'.cni]
+bin_dir = '/opt/cni/bin'
+conf_dir = '/etc/cni/net.d'
+conf_template = '/etc/containerd/kubenet_template.conf'
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd]
+default_runtime_name = 'runc'
+disable_snapshot_annotations = false
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes]
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.kata]
+runtime_type = 'io.containerd.kata.v2'
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.kata-cc]
+pod_annotations = ['io.katacontainers.*']
+privileged_without_host_devices = true
+runtime_type = 'io.containerd.kata-cc.v2'
+snapshotter = 'tardev'
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.kata-cc.options]
+ConfigPath = '/opt/confidential-containers/share/defaults/kata-containers/configuration-clh-snp.toml'
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.katacli]
+runtime_type = 'io.containerd.runc.v1'
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.katacli.options]
+BinaryName = '/usr/bin/kata-runtime'
+CriuPath = ''
+IoGid = 0
+IoUid = 0
+NoNewKeyring = false
+NoPivotRoot = false
+Root = ''
+ShimCgroup = ''
+SystemdCgroup = false
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.runc]
+runtime_type = 'io.containerd.runc.v2'
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.runc.options]
+BinaryName = '/usr/bin/runc'
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.untrusted]
+runtime_type = 'io.containerd.runc.v2'
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.untrusted.options]
+BinaryName = '/usr/bin/runc'
+
+[plugins.'io.containerd.grpc.v1.cri'.registry]
+config_path = '/etc/containerd/certs.d'
+
+[plugins.'io.containerd.grpc.v1.cri'.registry.headers]
+X-Meta-Source-Client = ['azure/aks']
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.my-runtime]
+runtime_type = 'io.containerd.contrast-cc.v2'
+runtime_path = '/opt/edgeless/my-runtime/bin/containerd-shim-contrast-cc-v2'
+pod_annotations = ['io.katacontainers.*']
+privileged_without_host_devices = true
+
+[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.my-runtime.options]
+ConfigPath = '/opt/edgeless/my-runtime/etc/configuration-qemu-tdx.toml'