diff --git a/node-installer/node-installer_test.go b/node-installer/node-installer_test.go index 49e8901f70..ec4e46de74 100644 --- a/node-installer/node-installer_test.go +++ b/node-installer/node-installer_test.go @@ -10,7 +10,9 @@ import ( _ "embed" + "github.com/edgelesssys/contrast/node-installer/internal/constants" "github.com/edgelesssys/contrast/node-installer/platforms" + "github.com/pelletier/go-toml/v2" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -18,30 +20,36 @@ import ( var ( //go:embed testdata/expected-aks-clh-snp.toml expectedConfAKSCLHSNP []byte - //go:embed testdata/expected-bare-metal-qemu-tdx.toml expectedConfBareMetalQEMUTDX []byte + //go:embed testdata/expected-bare-metal-qemu-tdx.toml.tmpl + expectedConfTmplBareMetalQEMUTDX []byte //go:embed testdata/expected-bare-metal-qemu-snp.toml expectedConfBareMetalQEMUSNP []byte + //go:embed testdata/expected-bare-metal-qemu-snp.toml.tmpl + expectedConfTmplBareMetalQEMUSNP []byte ) func TestPatchContainerdConfig(t *testing.T) { testCases := map[string]struct { - platform platforms.Platform - expected []byte - wantErr bool + platform platforms.Platform + expected []byte + expectedTemplate []byte + wantErr bool }{ "AKSCLHSNP": { platform: platforms.AKSCloudHypervisorSNP, expected: expectedConfAKSCLHSNP, }, "BareMetalQEMUTDX": { - platform: platforms.K3sQEMUTDX, - expected: expectedConfBareMetalQEMUTDX, + platform: platforms.K3sQEMUTDX, + expected: expectedConfBareMetalQEMUTDX, + expectedTemplate: expectedConfTmplBareMetalQEMUTDX, }, "BareMetalQEMUSNP": { - platform: platforms.K3sQEMUSNP, - expected: expectedConfBareMetalQEMUSNP, + platform: platforms.K3sQEMUSNP, + expected: expectedConfBareMetalQEMUSNP, + expectedTemplate: expectedConfTmplBareMetalQEMUSNP, }, "Unknown": { platform: platforms.Unknown, @@ -60,6 +68,8 @@ func TestPatchContainerdConfig(t *testing.T) { configPath := filepath.Join(tmpDir, "config.toml") + // Testing patching a config. + err = patchContainerdConfig("my-runtime", "/opt/edgeless/my-runtime", configPath, tc.platform) if tc.wantErr { @@ -71,6 +81,44 @@ func TestPatchContainerdConfig(t *testing.T) { configData, err := os.ReadFile(configPath) require.NoError(err) assert.Equal(string(tc.expected), string(configData)) + + if tc.expectedTemplate != nil { + // Unlike patchContainerdConfig, patchContainerdConfigTemplate + // requires the file to exist already. Create one. + configTemplatePath := filepath.Join(tmpDir, "config.toml.tmpl") + rawConfig, err := toml.Marshal(constants.ContainerdBaseConfig()) + require.NoError(err) + err = os.WriteFile(configTemplatePath, rawConfig, os.ModePerm) + require.NoError(err) + + // Testing patching a config template. + + err = patchContainerdConfigTemplate("my-runtime", "/opt/edgeless/my-runtime", + configTemplatePath, tc.platform) + if tc.wantErr { + require.Error(err) + return + } + require.NoError(err) + + configData, err = os.ReadFile(configTemplatePath) + require.NoError(err) + assert.Equal(string(tc.expectedTemplate), string(configData)) + + // Test that patching the same template twice doesn't change it. + + err = patchContainerdConfigTemplate("my-runtime", "/opt/edgeless/my-runtime", + configTemplatePath, tc.platform) + if tc.wantErr { + require.Error(err) + return + } + require.NoError(err) + + configData, err = os.ReadFile(configTemplatePath) + require.NoError(err) + assert.Equal(string(tc.expectedTemplate), string(configData)) + } }) } } diff --git a/node-installer/testdata/expected-bare-metal-qemu-snp.toml.tmpl b/node-installer/testdata/expected-bare-metal-qemu-snp.toml.tmpl new file mode 100644 index 0000000000..4afc781488 --- /dev/null +++ b/node-installer/testdata/expected-bare-metal-qemu-snp.toml.tmpl @@ -0,0 +1,79 @@ +version = 2 +root = '' +state = '' +temp = '' +plugin_dir = '' +disabled_plugins = [] +required_plugins = [] +oom_score = 0 +imports = [] + +[metrics] +address = '0.0.0.0:10257' + +[plugins] +[plugins.'io.containerd.grpc.v1.cri'] +sandbox_image = 'mcr.microsoft.com/oss/kubernetes/pause:3.6' + +[plugins.'io.containerd.grpc.v1.cri'.cni] +bin_dir = '/opt/cni/bin' +conf_dir = '/etc/cni/net.d' +conf_template = '/etc/containerd/kubenet_template.conf' + +[plugins.'io.containerd.grpc.v1.cri'.containerd] +default_runtime_name = 'runc' +disable_snapshot_annotations = false + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes] +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.kata] +runtime_type = 'io.containerd.kata.v2' + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.kata-cc] +pod_annotations = ['io.katacontainers.*'] +privileged_without_host_devices = true +runtime_type = 'io.containerd.kata-cc.v2' +snapshotter = 'tardev' + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.kata-cc.options] +ConfigPath = '/opt/confidential-containers/share/defaults/kata-containers/configuration-clh-snp.toml' + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.katacli] +runtime_type = 'io.containerd.runc.v1' + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.katacli.options] +BinaryName = '/usr/bin/kata-runtime' +CriuPath = '' +IoGid = 0 +IoUid = 0 +NoNewKeyring = false +NoPivotRoot = false +Root = '' +ShimCgroup = '' +SystemdCgroup = false + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.runc] +runtime_type = 'io.containerd.runc.v2' + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.runc.options] +BinaryName = '/usr/bin/runc' + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.untrusted] +runtime_type = 'io.containerd.runc.v2' + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.untrusted.options] +BinaryName = '/usr/bin/runc' + +[plugins.'io.containerd.grpc.v1.cri'.registry] +config_path = '/etc/containerd/certs.d' + +[plugins.'io.containerd.grpc.v1.cri'.registry.headers] +X-Meta-Source-Client = ['azure/aks'] + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.my-runtime] +runtime_type = 'io.containerd.contrast-cc.v2' +runtime_path = '/opt/edgeless/my-runtime/bin/containerd-shim-contrast-cc-v2' +pod_annotations = ['io.katacontainers.*'] +privileged_without_host_devices = true + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.my-runtime.options] +ConfigPath = '/opt/edgeless/my-runtime/etc/configuration-qemu-snp.toml' diff --git a/node-installer/testdata/expected-bare-metal-qemu-tdx.toml.tmpl b/node-installer/testdata/expected-bare-metal-qemu-tdx.toml.tmpl new file mode 100644 index 0000000000..7fa7eb68f9 --- /dev/null +++ b/node-installer/testdata/expected-bare-metal-qemu-tdx.toml.tmpl @@ -0,0 +1,79 @@ +version = 2 +root = '' +state = '' +temp = '' +plugin_dir = '' +disabled_plugins = [] +required_plugins = [] +oom_score = 0 +imports = [] + +[metrics] +address = '0.0.0.0:10257' + +[plugins] +[plugins.'io.containerd.grpc.v1.cri'] +sandbox_image = 'mcr.microsoft.com/oss/kubernetes/pause:3.6' + +[plugins.'io.containerd.grpc.v1.cri'.cni] +bin_dir = '/opt/cni/bin' +conf_dir = '/etc/cni/net.d' +conf_template = '/etc/containerd/kubenet_template.conf' + +[plugins.'io.containerd.grpc.v1.cri'.containerd] +default_runtime_name = 'runc' +disable_snapshot_annotations = false + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes] +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.kata] +runtime_type = 'io.containerd.kata.v2' + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.kata-cc] +pod_annotations = ['io.katacontainers.*'] +privileged_without_host_devices = true +runtime_type = 'io.containerd.kata-cc.v2' +snapshotter = 'tardev' + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.kata-cc.options] +ConfigPath = '/opt/confidential-containers/share/defaults/kata-containers/configuration-clh-snp.toml' + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.katacli] +runtime_type = 'io.containerd.runc.v1' + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.katacli.options] +BinaryName = '/usr/bin/kata-runtime' +CriuPath = '' +IoGid = 0 +IoUid = 0 +NoNewKeyring = false +NoPivotRoot = false +Root = '' +ShimCgroup = '' +SystemdCgroup = false + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.runc] +runtime_type = 'io.containerd.runc.v2' + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.runc.options] +BinaryName = '/usr/bin/runc' + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.untrusted] +runtime_type = 'io.containerd.runc.v2' + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.untrusted.options] +BinaryName = '/usr/bin/runc' + +[plugins.'io.containerd.grpc.v1.cri'.registry] +config_path = '/etc/containerd/certs.d' + +[plugins.'io.containerd.grpc.v1.cri'.registry.headers] +X-Meta-Source-Client = ['azure/aks'] + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.my-runtime] +runtime_type = 'io.containerd.contrast-cc.v2' +runtime_path = '/opt/edgeless/my-runtime/bin/containerd-shim-contrast-cc-v2' +pod_annotations = ['io.katacontainers.*'] +privileged_without_host_devices = true + +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.my-runtime.options] +ConfigPath = '/opt/edgeless/my-runtime/etc/configuration-qemu-tdx.toml'