diff --git a/kbs/config/kubernetes/README.md b/kbs/config/kubernetes/README.md index 67382994a..d552f920c 100644 --- a/kbs/config/kubernetes/README.md +++ b/kbs/config/kubernetes/README.md @@ -91,7 +91,10 @@ Deploy KBS by running the following command: ./deploy-kbs.sh ``` -For IBM Secure Execution (s390x), an environment variable `IBM_SE_CREDS_DIR` should be exported as follows: +When deploying trustee on an [IBM Secure Execution](https://www.ibm.com/docs/en/linux-on-systems?topic=management-secure-execution) +enabled environment, where the IBM SE verifier verifier is needed, +an environment variable `IBM_SE_CREDS_DIR` is needed that points to a directory containing extra files required for +attestation on IBM Secure Execution: ``` $ export IBM_SE_CREDS_DIR=/path/to/your/directory @@ -114,6 +117,10 @@ $ tree $IBM_SE_CREDS_DIR Please check out the [documentation](https://github.com/confidential-containers/trustee/tree/main/deps/verifier/src/se) for details. +> [!NOTE] +> For running trustee on non-TEE s390x environment using the sample verifier for non-production environments, this extra +> `IBM_SE_CREDS_DIR` environment variable is not required. + ## Check deployment Run the following command to check if the KBS is deployed successfully: diff --git a/kbs/config/kubernetes/custom_pccs/kustomization.yaml b/kbs/config/kubernetes/custom_pccs/kustomization.yaml index 4d24a667c..f373a287f 100644 --- a/kbs/config/kubernetes/custom_pccs/kustomization.yaml +++ b/kbs/config/kubernetes/custom_pccs/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization namespace: coco-tenant resources: -- ../nodeport/x86_64 +- ../nodeport/ patches: - path: set_custom_pccs.yaml diff --git a/kbs/config/kubernetes/deploy-kbs.sh b/kbs/config/kubernetes/deploy-kbs.sh index c19b51d0d..ddd2fdf17 100755 --- a/kbs/config/kubernetes/deploy-kbs.sh +++ b/kbs/config/kubernetes/deploy-kbs.sh @@ -6,12 +6,11 @@ set -euo pipefail DEPLOYMENT_DIR="${DEPLOYMENT_DIR:-overlays}" k8s_cnf_dir="$(dirname ${BASH_SOURCE[0]})" -ARCH=$(uname -m) # Fail the script if the key.bin file does not exist. -key_file="${k8s_cnf_dir}/overlays/${ARCH}/key.bin" +key_file="${k8s_cnf_dir}/overlays/key.bin" [[ -f "${key_file}" ]] || { - echo "key.bin not found at ${k8s_cnf_dir}/overlays/${ARCH}/" + echo "key.bin not found at ${k8s_cnf_dir}/overlays/" exit 1 } @@ -22,18 +21,16 @@ kbs_cert="${k8s_cnf_dir}/base/kbs.pem" openssl pkey -in "${k8s_cnf_dir}/base/kbs.key" -pubout -out "${kbs_cert}" } -if [ "${ARCH}" == "s390x" ]; then - if [ -n "${IBM_SE_CREDS_DIR:-}" ]; then +if [ "$(uname -m)" == "s390x" ] && [ -n "${IBM_SE_CREDS_DIR:-}" ]; then + # We are using the ibm-se overlay + echo "ibm-se overlay being used as IBM_SE_CREDS_DIR was set" + DEPLOYMENT_DIR="${DEPLOYMENT_DIR}/ibm-se" export NODE_NAME=$(kubectl get nodes -o jsonpath='{.items[0].metadata.name}') - envsubst <"${k8s_cnf_dir}/overlays/s390x/pv.yaml" | kubectl apply -f - - else - echo "IBM_SE_CREDS_DIR is empty" >&2 - exit 1 - fi + envsubst <"${k8s_cnf_dir}/${DEPLOYMENT_DIR}/pv.yaml" | kubectl apply -f - fi if [[ "${DEPLOYMENT_DIR}" == "nodeport" || "${DEPLOYMENT_DIR}" == "overlays" ]]; then - kubectl apply -k "${k8s_cnf_dir}/${DEPLOYMENT_DIR}/${ARCH}" + kubectl apply -k "${k8s_cnf_dir}/${DEPLOYMENT_DIR}" else kubectl apply -k "${k8s_cnf_dir}/${DEPLOYMENT_DIR}" fi diff --git a/kbs/config/kubernetes/ita/kustomization.yaml b/kbs/config/kubernetes/ita/kustomization.yaml index 7715acd36..32c10818a 100644 --- a/kbs/config/kubernetes/ita/kustomization.yaml +++ b/kbs/config/kubernetes/ita/kustomization.yaml @@ -7,7 +7,7 @@ images: newTag: ita-as-v0.10.1 resources: -- ../nodeport/x86_64 +- ../nodeport/ configMapGenerator: - name: kbs-config diff --git a/kbs/config/kubernetes/nodeport/x86_64/kustomization.yaml b/kbs/config/kubernetes/nodeport/ibm-se/kustomization.yaml similarity index 88% rename from kbs/config/kubernetes/nodeport/x86_64/kustomization.yaml rename to kbs/config/kubernetes/nodeport/ibm-se/kustomization.yaml index 3f844547f..a52e20c61 100644 --- a/kbs/config/kubernetes/nodeport/x86_64/kustomization.yaml +++ b/kbs/config/kubernetes/nodeport/ibm-se/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization namespace: coco-tenant resources: -- ../../overlays/x86_64 +- ../../overlays/ibm-se patches: - path: patch.yaml diff --git a/kbs/config/kubernetes/nodeport/s390x/patch.yaml b/kbs/config/kubernetes/nodeport/ibm-se/patch.yaml similarity index 100% rename from kbs/config/kubernetes/nodeport/s390x/patch.yaml rename to kbs/config/kubernetes/nodeport/ibm-se/patch.yaml diff --git a/kbs/config/kubernetes/nodeport/s390x/kustomization.yaml b/kbs/config/kubernetes/nodeport/kustomization.yaml similarity index 88% rename from kbs/config/kubernetes/nodeport/s390x/kustomization.yaml rename to kbs/config/kubernetes/nodeport/kustomization.yaml index 28a4fedb5..a40ff19c8 100644 --- a/kbs/config/kubernetes/nodeport/s390x/kustomization.yaml +++ b/kbs/config/kubernetes/nodeport/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization namespace: coco-tenant resources: -- ../../overlays/s390x +- ../overlays/ patches: - path: patch.yaml diff --git a/kbs/config/kubernetes/nodeport/x86_64/patch.yaml b/kbs/config/kubernetes/nodeport/patch.yaml similarity index 100% rename from kbs/config/kubernetes/nodeport/x86_64/patch.yaml rename to kbs/config/kubernetes/nodeport/patch.yaml diff --git a/kbs/config/kubernetes/overlays/common/kustomization.yaml b/kbs/config/kubernetes/overlays/common/kustomization.yaml deleted file mode 100644 index 84ababaf4..000000000 --- a/kbs/config/kubernetes/overlays/common/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: coco-tenant - -resources: -- ../../base diff --git a/kbs/config/kubernetes/overlays/s390x/kustomization.yaml b/kbs/config/kubernetes/overlays/ibm-se/kustomization.yaml similarity index 96% rename from kbs/config/kubernetes/overlays/s390x/kustomization.yaml rename to kbs/config/kubernetes/overlays/ibm-se/kustomization.yaml index 24a3a1d92..3f9443960 100644 --- a/kbs/config/kubernetes/overlays/s390x/kustomization.yaml +++ b/kbs/config/kubernetes/overlays/ibm-se/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization namespace: coco-tenant resources: -- ../common +- ../../base - pvc.yaml patches: diff --git a/kbs/config/kubernetes/overlays/s390x/patch.yaml b/kbs/config/kubernetes/overlays/ibm-se/patch.yaml similarity index 100% rename from kbs/config/kubernetes/overlays/s390x/patch.yaml rename to kbs/config/kubernetes/overlays/ibm-se/patch.yaml diff --git a/kbs/config/kubernetes/overlays/s390x/pv.yaml b/kbs/config/kubernetes/overlays/ibm-se/pv.yaml similarity index 100% rename from kbs/config/kubernetes/overlays/s390x/pv.yaml rename to kbs/config/kubernetes/overlays/ibm-se/pv.yaml diff --git a/kbs/config/kubernetes/overlays/s390x/pvc.yaml b/kbs/config/kubernetes/overlays/ibm-se/pvc.yaml similarity index 100% rename from kbs/config/kubernetes/overlays/s390x/pvc.yaml rename to kbs/config/kubernetes/overlays/ibm-se/pvc.yaml diff --git a/kbs/config/kubernetes/overlays/common/ingress.yaml b/kbs/config/kubernetes/overlays/ingress.yaml similarity index 100% rename from kbs/config/kubernetes/overlays/common/ingress.yaml rename to kbs/config/kubernetes/overlays/ingress.yaml diff --git a/kbs/config/kubernetes/overlays/x86_64/kustomization.yaml b/kbs/config/kubernetes/overlays/kustomization.yaml similarity index 96% rename from kbs/config/kubernetes/overlays/x86_64/kustomization.yaml rename to kbs/config/kubernetes/overlays/kustomization.yaml index 9b162df58..87e40e92c 100644 --- a/kbs/config/kubernetes/overlays/x86_64/kustomization.yaml +++ b/kbs/config/kubernetes/overlays/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization namespace: coco-tenant resources: -- ../common +- ../base patches: - path: patch.yaml diff --git a/kbs/config/kubernetes/overlays/x86_64/patch.yaml b/kbs/config/kubernetes/overlays/patch.yaml similarity index 100% rename from kbs/config/kubernetes/overlays/x86_64/patch.yaml rename to kbs/config/kubernetes/overlays/patch.yaml