kbs: Simplify deployment overlays

The current "s390x" overlay support is currently very SE specific, whereas deploying on non-SE s390x with the sample KBS is still an important scenario for our testing without specialised hardware. This scenario deployment matches the x86_64 deployment scenario, so let's go back to having a standard deployment, with a special case for ibm-se rather to reduce duplication. Update the documentation to clarify when and where `IBM_SE_CREDS_DIR` is needed. Signed-off-by: stevenhorsman <[email protected]>
confidential-containers · Oct 8, 2024 · b96ccf6 · b96ccf6
1 parent 02c84c9
commit b96ccf6
Show file tree

Hide file tree

Showing 16 changed files with 22 additions and 24 deletions.
diff --git a/kbs/config/kubernetes/README.md b/kbs/config/kubernetes/README.md
@@ -91,7 +91,10 @@ Deploy KBS by running the following command:
 ./deploy-kbs.sh
 ```
 
-For IBM Secure Execution (s390x), an environment variable `IBM_SE_CREDS_DIR` should be exported as follows:
+When deploying trustee on an [IBM Secure Execution](https://www.ibm.com/docs/en/linux-on-systems?topic=management-secure-execution)
+enabled environment, where the IBM SE verifier verifier is needed,
+an environment variable `IBM_SE_CREDS_DIR` is needed that points to a directory containing extra files required for
+attestation on IBM Secure Execution:
 
 ```
 $ export IBM_SE_CREDS_DIR=/path/to/your/directory
@@ -114,6 +117,10 @@ $ tree $IBM_SE_CREDS_DIR
 
 Please check out the [documentation](https://github.com/confidential-containers/trustee/tree/main/deps/verifier/src/se) for details.
 
+> [!NOTE]
+> For running trustee on non-TEE s390x environment using the sample verifier for non-production environments, this extra
+> `IBM_SE_CREDS_DIR` environment variable is not required.
+
 ## Check deployment
 
 Run the following command to check if the KBS is deployed successfully:

diff --git a/kbs/config/kubernetes/custom_pccs/kustomization.yaml b/kbs/config/kubernetes/custom_pccs/kustomization.yaml
@@ -3,7 +3,7 @@ kind: Kustomization
 namespace: coco-tenant
 
 resources:
-- ../nodeport/x86_64
+- ../nodeport/
 
 patches:
 - path: set_custom_pccs.yaml

diff --git a/kbs/config/kubernetes/deploy-kbs.sh b/kbs/config/kubernetes/deploy-kbs.sh
@@ -6,12 +6,11 @@ set -euo pipefail
 DEPLOYMENT_DIR="${DEPLOYMENT_DIR:-overlays}"
 
 k8s_cnf_dir="$(dirname ${BASH_SOURCE[0]})"
-ARCH=$(uname -m)
 
 # Fail the script if the key.bin file does not exist.
-key_file="${k8s_cnf_dir}/overlays/${ARCH}/key.bin"
+key_file="${k8s_cnf_dir}/overlays/key.bin"
 [[ -f "${key_file}" ]] || {
-    echo "key.bin not found at ${k8s_cnf_dir}/overlays/${ARCH}/"
+    echo "key.bin not found at ${k8s_cnf_dir}/overlays/"
     exit 1
 }
 
@@ -22,18 +21,16 @@ kbs_cert="${k8s_cnf_dir}/base/kbs.pem"
     openssl pkey -in "${k8s_cnf_dir}/base/kbs.key" -pubout -out "${kbs_cert}"
 }
 
-if [ "${ARCH}" == "s390x" ]; then
-    if [ -n "${IBM_SE_CREDS_DIR:-}" ]; then
+if [ "$(uname -m)" == "s390x" ] && [ -n "${IBM_SE_CREDS_DIR:-}" ]; then
+    # We are using the ibm-se overlay
+    echo "ibm-se overlay being used as IBM_SE_CREDS_DIR was set"
+    DEPLOYMENT_DIR="${DEPLOYMENT_DIR}/ibm-se"
     export NODE_NAME=$(kubectl get nodes -o jsonpath='{.items[0].metadata.name}')
-    envsubst <"${k8s_cnf_dir}/overlays/s390x/pv.yaml" | kubectl apply -f -
-    else
-        echo "IBM_SE_CREDS_DIR is empty" >&2
-        exit 1
-    fi
+    envsubst <"${k8s_cnf_dir}/${DEPLOYMENT_DIR}/pv.yaml" | kubectl apply -f -
 fi
 
 if [[ "${DEPLOYMENT_DIR}" == "nodeport" || "${DEPLOYMENT_DIR}" == "overlays" ]]; then
-    kubectl apply -k "${k8s_cnf_dir}/${DEPLOYMENT_DIR}/${ARCH}"
+    kubectl apply -k "${k8s_cnf_dir}/${DEPLOYMENT_DIR}"
 else
     kubectl apply -k "${k8s_cnf_dir}/${DEPLOYMENT_DIR}"
 fi
diff --git a/kbs/config/kubernetes/ita/kustomization.yaml b/kbs/config/kubernetes/ita/kustomization.yaml
@@ -7,7 +7,7 @@ images:
   newTag: ita-as-v0.10.1
 
 resources:
-- ../nodeport/x86_64
+- ../nodeport/
 
 configMapGenerator:
 - name: kbs-config

diff --git a/...rnetes/nodeport/x86_64/kustomization.yaml → ...rnetes/nodeport/ibm-se/kustomization.yaml b/...rnetes/nodeport/x86_64/kustomization.yaml → ...rnetes/nodeport/ibm-se/kustomization.yaml
@@ -3,7 +3,7 @@ kind: Kustomization
 namespace: coco-tenant
 
 resources:
-- ../../overlays/x86_64
+- ../../overlays/ibm-se
 
 patches:
 - path: patch.yaml

diff --git a/...nfig/kubernetes/nodeport/s390x/patch.yaml → ...fig/kubernetes/nodeport/ibm-se/patch.yaml b/...nfig/kubernetes/nodeport/s390x/patch.yaml → ...fig/kubernetes/nodeport/ibm-se/patch.yaml
diff --git a/...ernetes/nodeport/s390x/kustomization.yaml → ...ig/kubernetes/nodeport/kustomization.yaml b/...ernetes/nodeport/s390x/kustomization.yaml → ...ig/kubernetes/nodeport/kustomization.yaml
@@ -3,7 +3,7 @@ kind: Kustomization
 namespace: coco-tenant
 
 resources:
-- ../../overlays/s390x
+- ../overlays/
 
 patches:
 - path: patch.yaml

diff --git a/...fig/kubernetes/nodeport/x86_64/patch.yaml → kbs/config/kubernetes/nodeport/patch.yaml b/...fig/kubernetes/nodeport/x86_64/patch.yaml → kbs/config/kubernetes/nodeport/patch.yaml
diff --git a/kbs/config/kubernetes/overlays/common/kustomization.yaml b/kbs/config/kubernetes/overlays/common/kustomization.yaml
diff --git a/...ernetes/overlays/s390x/kustomization.yaml → ...rnetes/overlays/ibm-se/kustomization.yaml b/...ernetes/overlays/s390x/kustomization.yaml → ...rnetes/overlays/ibm-se/kustomization.yaml
@@ -3,7 +3,7 @@ kind: Kustomization
 namespace: coco-tenant
 
 resources:
-- ../common
+- ../../base
 - pvc.yaml
 
 patches:

diff --git a/...nfig/kubernetes/overlays/s390x/patch.yaml → ...fig/kubernetes/overlays/ibm-se/patch.yaml b/...nfig/kubernetes/overlays/s390x/patch.yaml → ...fig/kubernetes/overlays/ibm-se/patch.yaml
diff --git a/kbs/config/kubernetes/overlays/s390x/pv.yaml → ...config/kubernetes/overlays/ibm-se/pv.yaml b/kbs/config/kubernetes/overlays/s390x/pv.yaml → ...config/kubernetes/overlays/ibm-se/pv.yaml
diff --git a/...config/kubernetes/overlays/s390x/pvc.yaml → ...onfig/kubernetes/overlays/ibm-se/pvc.yaml b/...config/kubernetes/overlays/s390x/pvc.yaml → ...onfig/kubernetes/overlays/ibm-se/pvc.yaml
diff --git a/...g/kubernetes/overlays/common/ingress.yaml → kbs/config/kubernetes/overlays/ingress.yaml b/...g/kubernetes/overlays/common/ingress.yaml → kbs/config/kubernetes/overlays/ingress.yaml
diff --git a/...rnetes/overlays/x86_64/kustomization.yaml → ...ig/kubernetes/overlays/kustomization.yaml b/...rnetes/overlays/x86_64/kustomization.yaml → ...ig/kubernetes/overlays/kustomization.yaml
@@ -3,7 +3,7 @@ kind: Kustomization
 namespace: coco-tenant
 
 resources:
-- ../common
+- ../base
 
 patches:
 - path: patch.yaml

diff --git a/...fig/kubernetes/overlays/x86_64/patch.yaml → kbs/config/kubernetes/overlays/patch.yaml b/...fig/kubernetes/overlays/x86_64/patch.yaml → kbs/config/kubernetes/overlays/patch.yaml