Add Azure integration test backend#170
Add Azure integration test backend#170Jakob-Naucke merged 5 commits intotrusted-execution-clusters:mainfrom
Conversation
|
Skipping CI for Draft Pull Request. |
|
|
||
| integration-tests: generate trusted-cluster-gen crds-rs | ||
| RUST_LOG=info REGISTRY=$(REGISTRY) TAG=$(TAG) \ | ||
| TRUSTEE_IMAGE=$(TRUSTEE_IMAGE) APPROVED_IMAGE=$(APPROVED_IMAGE) TEST_IMAGE=$(TEST_IMAGE) \ |
There was a problem hiding this comment.
nit: can you also update the README for the integrations tests
Jakob-Naucke
force-pushed
the
azure-test
branch
from
a72a201 to
fece91b
Compare
Jakob-Naucke
force-pushed
the
azure-test
branch
from
fece91b to
d93e5c9
Compare
|
update: first passing test |
Jakob-Naucke
force-pushed
the
azure-test
branch
from
d93e5c9 to
85d41d2
Compare
Jakob-Naucke
force-pushed
the
azure-test
branch
from
85d41d2 to
8f0139d
Compare
|
Moving out of draft NB this requires a trustee-attester without tpm-attester support until confidential-containers/guest-components#1277 is resolved. Even when az-snp-vtpm is registered, tpm-attester registers as composite evidence and then fails because the AK cannot be set up right on Azure. The Trustee community has some understandable concerns on silently not providing failed evidence, as well as disabling features on the command line because that might create misleading evidence. I've pushed one to quay.io/trusted-execution-clusters/trustee-attester:v0.17.0-az-only. |
tests/README.md
Outdated
| ### Running the tests | ||
|
|
||
| The Azure VMs must be able to reach cluster services like the registration server and Trustee. | ||
| If you are on OpenShift, export `PLATFORM=openshift` and `oc expose` will make the required services available. |
There was a problem hiding this comment.
can you provide an example for 'oc expose`, it requires the service to be exposed.
There was a problem hiding this comment.
The test code included in this PR handles this, so there should be no need to manually oc expose. Or what do you mean?
There was a problem hiding this comment.
This part of the docs isn't very clean on what is required to be expose. You mention oc expose, and it isn't very clear what needs to be exposed. That's why I asked an example
|
@Jakob-Naucke I think we need to randmize the name of the VM in azure. In case of kubevirt, the VM is namespaced, but for Azure that's not the case. This might introduce some conflicts when the test are run in parallel and if the VM they have the same name. Can you add a randmon 5 string char after the name of each VM? |
|
As a follow up PR, we also require a clean-up script for the VMs of the namespace that have failed. In case of KubeVirt, it isn't that bad because they got destroyed with the kind cluster, but with Azure that's not the case |
tests/README.md
Outdated
| export TEST_IMAGE=/subscriptions/$AZURE_SUBSCRIPTION_ID/resourceGroups/$resource_group/providers/Microsoft.Compute/galleries/$compute_gallery/images/$image_definition/versions/$image_version | ||
| ``` | ||
|
|
||
| ### Running the tests |
There was a problem hiding this comment.
It is also missing how you build and push the images in the openshift cluster
There was a problem hiding this comment.
Because I wasn't. But internal registry is probably possible, and I could add some general remarks on making them available.
Re both your comments on this file, I'm thinking if we should keep the areas "testing on OpenShift" and "testing on Azure" a little more separate, even if our CI will use them in tandem.
There was a problem hiding this comment.
Yes, probably we should mention how to test on openshift and our suggestions. Since one could think of using kind and Azure as well, but they need to expose the services if they want to test in this way
| let out = ["--output", "json"]; | ||
| let output = Command::new("az").args(args).args(out).output().await?; |
There was a problem hiding this comment.
can we check if the command is really installed and present in the system?
There was a problem hiding this comment.
First line of create_vm
There was a problem hiding this comment.
nit: why not here? instead of in create_vm?
There was a problem hiding this comment.
Moved for clarity. The origin of it being there is that virtctl is checked to be there early for KubeVirt, because there's a lot of sunk time until virtctl is used
| let out = ["--output", "json"]; | ||
| let output = Command::new("az").args(args).args(out).output().await?; |
There was a problem hiding this comment.
First line of create_vm
tests/README.md
Outdated
| export TEST_IMAGE=/subscriptions/$AZURE_SUBSCRIPTION_ID/resourceGroups/$resource_group/providers/Microsoft.Compute/galleries/$compute_gallery/images/$image_definition/versions/$image_version | ||
| ``` | ||
|
|
||
| ### Running the tests |
There was a problem hiding this comment.
Because I wasn't. But internal registry is probably possible, and I could add some general remarks on making them available.
Re both your comments on this file, I'm thinking if we should keep the areas "testing on OpenShift" and "testing on Azure" a little more separate, even if our CI will use them in tandem.
tests/README.md
Outdated
| ### Running the tests | ||
|
|
||
| The Azure VMs must be able to reach cluster services like the registration server and Trustee. | ||
| If you are on OpenShift, export `PLATFORM=openshift` and `oc expose` will make the required services available. |
There was a problem hiding this comment.
The test code included in this PR handles this, so there should be no need to manually oc expose. Or what do you mean?
|
The tests passed for me. Good job! We need to improve the docs and there is a refactoring for the openshift vs kind trait, but if you prefer we can address them in a follow up PR. |
This commit updates the test utils to support running trusted execution cluster tests on the OpenShift platform. To execute these tests on OpenShift, the following environment variables must be configured: - REGISTRY: The repository location of the container image. - TAG: The specific tag of the container image. - CLUSTER_URL: The API URL of the target cluster. - PLATFORM: Set this to 'openshift'. Signed-off-by: Roy Kaufman <rkaufman@redhat.com> Co-authored-by: Jakob Naucke <jnaucke@redhat.com>
- Field is now `az-snp-vtpm` (which requires quoting due to the dashes) instead of `azsnpvtpm` - No lowercasing required Signed-off-by: Jakob Naucke <jnaucke@redhat.com>
Split test_utils::virt into a module with separate virt::kubevirt. Introduce the VIRT_PROVIDER variable to select. - Reformat a bit. - Make root_key an Option for environments where machine IDs cannot be correlated to IPs. Signed-off-by: Jakob Naucke <jnaucke@redhat.com> Assisted-by: Claude
Less double-tracking and adds flexibility for testing on cloud
platforms.
Environment variables:
- {TEST,TRUSTEE,APPROVED}_IMAGE
- TEST_NAMESPACE_PREFIX
Other changes:
- OpenShift service exposure
- Get cluster URL from OpenShift directly
- Reduce some lines & indentation in
TestContext::apply_operator_manifests and break it up some
- Move endpoint constants to lib
- Log error upon poll timeout
Signed-off-by: Jakob Naucke <jnaucke@redhat.com>
Add integration tests backend for Azure (confidential VMs, no cluster join). Use Azure CLI to create a resource group per test, same name as the namespace (which can be prefixed). Auto-shutdown VMs after one hour. Signed-off-by: Jakob Naucke <jnaucke@redhat.com> Co-authored-by: Uri Lublin <uril@redhat.com> Assisted-by: Gemini, Claude
Jakob-Naucke
force-pushed
the
azure-test
branch
from
8f0139d to
84dc744
Compare
Jakob-Naucke
left a comment
Jakob-Naucke
left a comment
There was a problem hiding this comment.
@alicefr Thanks for your review! Everything should be addressed. Please take another look if you can.
| let out = ["--output", "json"]; | ||
| let output = Command::new("az").args(args).args(out).output().await?; |
There was a problem hiding this comment.
Moved for clarity. The origin of it being there is that virtctl is checked to be there early for KubeVirt, because there's a lot of sunk time until virtctl is used
|
@Jakob-Naucke: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: alicefr, Jakob-Naucke The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Jakob-Naucke
merged commit e103e68
into
trusted-execution-clusters:main
4 participants
$VIRT_PROVIDERbackendsDepends on #159, #179