From 8e5ef07b4543902e9a3b2cf5283c494b59e0f628 Mon Sep 17 00:00:00 2001 From: Roy Kaufman Date: Sun, 18 Jan 2026 18:12:22 +0200 Subject: [PATCH] Enable trusted_execution_cluster tests on OpenShift This commit updates the test utils to support running trusted execution cluster tests on the OpenShift platform. To execute these tests on OpenShift, the following environment variables must be configured: - REGISTRY: The repository location of the container image. - TAG: The specific tag of the container image. - CLUSTER_URL: The API URL of the target cluster. - PLATFORM: Set this to 'openshift'. Signed-off-by: Roy Kaufman --- Cargo.lock | 7 ++++++ test_utils/Cargo.toml | 1 + test_utils/src/lib.rs | 55 ++++++++++++++++++++++++------------------- 3 files changed, 39 insertions(+), 24 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 295482fd..f1d5f49c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -973,6 +973,12 @@ dependencies = [ "percent-encoding", ] +[[package]] +name = "fs_extra" +version = "1.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c" + [[package]] name = "futures" version = "0.3.31" @@ -3800,6 +3806,7 @@ dependencies = [ "clevis-pin-trustee-lib", "compute-pcrs-lib", "env_logger", + "fs_extra", "http 1.4.0", "ignition-config", "k8s-openapi", diff --git a/test_utils/Cargo.toml b/test_utils/Cargo.toml index 8aaf4164..82913e09 100644 --- a/test_utils/Cargo.toml +++ b/test_utils/Cargo.toml @@ -31,3 +31,4 @@ tokio = { workspace = true, features = ["process"] } tower = { version = "0.5.2", features = ["full"] } uuid.workspace = true which = "8.0" +fs_extra = "1.3.0" diff --git a/test_utils/src/lib.rs b/test_utils/src/lib.rs index 60bd4d87..91c4107a 100644 --- a/test_utils/src/lib.rs +++ b/test_utils/src/lib.rs @@ -2,6 +2,7 @@ // // SPDX-License-Identifier: MIT +use fs_extra::dir; use k8s_openapi::api::apps::v1::Deployment; use k8s_openapi::api::core::v1::{ConfigMap, Namespace}; use kube::api::DeleteParams; @@ -260,9 +261,11 @@ impl TestContext { ); let crd_temp_dir = Path::new(&self.manifests_dir).join("crd"); + let rbac_dir = workspace_root.join("config/rbac/"); + let options = dir::CopyOptions::new(); + dir::copy(rbac_dir, &self.manifests_dir, &options)?; let rbac_temp_dir = Path::new(&self.manifests_dir).join("rbac"); std::fs::create_dir_all(&crd_temp_dir)?; - std::fs::create_dir_all(&rbac_temp_dir)?; let crd_temp_dir_str = crd_temp_dir .to_str() @@ -300,7 +303,8 @@ impl TestContext { trusted_cluster_gen_path.display() )); } - + let repo = std::env::var("REGISTRY").unwrap_or_else(|_| "localhost:5000".to_string()); + let tag = std::env::var("TAG").unwrap_or_else(|_| "latest".to_string()); let manifest_gen_output = Command::new(&trusted_cluster_gen_path) .args([ "-namespace", @@ -308,21 +312,20 @@ impl TestContext { "-output-dir", &self.manifests_dir, "-image", - "localhost:5000/trusted-execution-clusters/trusted-cluster-operator:latest", + &format!("{repo}/trusted-cluster-operator:{tag}"), "-pcrs-compute-image", - "localhost:5000/trusted-execution-clusters/compute-pcrs:latest", + &format!("{repo}/compute-pcrs:{tag}"), "-trustee-image", "quay.io/trusted-execution-clusters/key-broker-service:20260106", "-register-server-image", - "localhost:5000/trusted-execution-clusters/registration-server:latest", + &format!("{repo}/registration-server:{tag}"), "-attestation-key-register-image", - "localhost:5000/trusted-execution-clusters/attestation-key-register:latest", + &format!("{repo}/attestation-key-register:{tag}"), "-approved-image", "quay.io/trusted-execution-clusters/fedora-coreos@sha256:79a0657399e6c67c7c95b8a09193d18e5675b5aa3cfb4d75ea5c8d4d53b2af74" ]) .output() .await?; - if !manifest_gen_output.status.success() { let stderr = String::from_utf8_lossy(&manifest_gen_output.stderr); return Err(anyhow::anyhow!("Failed to generate manifests: {stderr}")); @@ -395,25 +398,27 @@ impl TestContext { std::fs::write(&le_rb_dst, le_rb_content)?; test_info!(&self.test_name, "Preparing RBAC kustomization"); - let kustomization_content = format!( - r#"# SPDX-FileCopyrightText: Generated for testing -# SPDX-License-Identifier: CC0-1.0 - -namespace: {} - -resources: - - service_account.yaml - - role.yaml - - role_binding.yaml - - leader_election_role.yaml - - leader_election_role_binding.yaml -"#, - ns - ); - + let platform = std::env::var("PLATFORM").unwrap_or_else(|_| "kind".to_string()); + let kustomization_src = workspace_root.join("config/rbac/kustomization.yaml.in"); + let kustomization_content = std::fs::read_to_string(&kustomization_src)? + .replace("namespace: NAMESPACE", &format!("namespace: {}", ns)) + .replace( + "resources:", + if platform == "openshift" { + "resources:\n - scc.yaml" + } else { + "resources:" + }, + ); let temp_kustomization_path = rbac_temp_dir.join("kustomization.yaml"); std::fs::write(&temp_kustomization_path, kustomization_content)?; + let scc_openshift_rb_src = workspace_root.join("config/openshift/scc.yaml"); + let scc_openshift_rb_content = + std::fs::read_to_string(&scc_openshift_rb_src)?.replace("", &ns); + let scc_openshift_rb_dst = rbac_temp_dir.join("scc.yaml"); + std::fs::write(&scc_openshift_rb_dst, scc_openshift_rb_content)?; + kube_apply!( rbac_temp_dir_str, &self.test_name, @@ -436,7 +441,9 @@ resources: &self.test_name, "Updating CR manifest with publicTrusteeAddr" ); - let trustee_addr = format!("kbs-service.{}.svc.cluster.local:8080", ns); + let cluster_url = + std::env::var("CLUSTER_URL").unwrap_or_else(|_| "svc.cluster.local".to_string()); + let trustee_addr = format!("kbs-service.{}.{}:8080", ns, cluster_url); let cr_manifest_path = manifests_path.join("trusted_execution_cluster_cr.yaml"); let cr_content = std::fs::read_to_string(&cr_manifest_path)?;