Automate bare-metal trusted compute deployment in K3 environment.#411
Automate bare-metal trusted compute deployment in K3 environment.#411jena-satyabrata wants to merge 2 commits intomainfrom
Conversation
Signed-off-by: Jena, Satyabrata <satyabrata.jena@intel.com>
jena-satyabrata
requested review from
hemanthsm,
kumara1-intel,
pchand20,
shahmitu,
srinivasmusti and
vtcao297
as code owners
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a bare-metal automation script to install (or rebuild) the Trusted Compute package in a k3s environment and validate the setup by deploying a sample trusted workload.
Changes:
- Introduces a new
run_trusted_compute_baremetal.shscript with--local-buildand ORAS-based package retrieval. - Automates cleanup/uninstall of prior Trusted Compute artifacts, installs k3s if missing, and runs extension install.
- Deploys and validates a sample nginx pod using the
kata-qemuRuntimeClass, then cleans up.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| echo "[1/9] Building local installation package with make build" | ||
| cd "${SCRIPT_DIR}" | ||
| make build | ||
|
|
||
| if [[ ! -f "${SCRIPT_DIR}/${PACKAGE_TAR}" ]]; then | ||
| echo "Error: ${PACKAGE_TAR} was not created by make build" | ||
| exit 1 | ||
| fi | ||
|
|
||
| echo "[2/9] Copying locally built package into temp directory: ${TEMP_DIR}" | ||
| cp "${SCRIPT_DIR}/${PACKAGE_TAR}" "${TEMP_DIR}/" |
There was a problem hiding this comment.
In the --local-build flow the script remains in ${SCRIPT_DIR} after copying the tarball to ${TEMP_DIR}, but extraction runs tar -xvf \"${PACKAGE_TAR}\" from the current directory. This will fail (or extract the wrong file) because ${PACKAGE_TAR} is expected to be in ${TEMP_DIR}. Fix by extracting from ${TEMP_DIR} explicitly (e.g., cd \"${TEMP_DIR}\" before extraction or use tar -x... -C \"${TEMP_DIR}\" -f \"${TEMP_DIR}/${PACKAGE_TAR}\"). Also, since the file is .tgz, prefer using gzip-aware extraction flags/behavior to avoid portability issues.
| fi | ||
|
|
||
| echo "[3/9] Extracting ${PACKAGE_TAR}" | ||
| tar -xvf "${PACKAGE_TAR}" |
There was a problem hiding this comment.
In the --local-build flow the script remains in ${SCRIPT_DIR} after copying the tarball to ${TEMP_DIR}, but extraction runs tar -xvf \"${PACKAGE_TAR}\" from the current directory. This will fail (or extract the wrong file) because ${PACKAGE_TAR} is expected to be in ${TEMP_DIR}. Fix by extracting from ${TEMP_DIR} explicitly (e.g., cd \"${TEMP_DIR}\" before extraction or use tar -x... -C \"${TEMP_DIR}\" -f \"${TEMP_DIR}/${PACKAGE_TAR}\"). Also, since the file is .tgz, prefer using gzip-aware extraction flags/behavior to avoid portability issues.
| tar -xvf "${PACKAGE_TAR}" | |
| tar -xzvf "${TEMP_DIR}/${PACKAGE_TAR}" -C "${TEMP_DIR}" |
| sudo ./install.sh | ||
|
|
||
| echo "[8/9] Deploying sample nginx trusted workload" | ||
| sudo kubectl create namespace nginx-test |
There was a problem hiding this comment.
kubectl create namespace nginx-test will fail on re-runs if the namespace already exists, and because set -e is enabled the script will exit. Consider making this idempotent (e.g., use kubectl apply for the namespace definition, or check existence before creation) so the script can be safely re-run.
| sudo kubectl create namespace nginx-test | |
| sudo kubectl apply -f - <<'EOF' | |
| apiVersion: v1 | |
| kind: Namespace | |
| metadata: | |
| name: nginx-test | |
| EOF |
| echo "[9/9] Verifying workload and cleaning up" | ||
| sudo kubectl get pods -n nginx-test | ||
| sudo kubectl describe pod nginx-default -n nginx-test | ||
| sudo kubectl logs nginx-default -n nginx-test | ||
| sudo kubectl delete namespace nginx-test |
There was a problem hiding this comment.
Verification is prone to flakiness: kubectl logs (and even describe/get output expectations) can fail or be misleading if the pod hasn't started yet, and with set -e the script will exit early. Add an explicit wait (e.g., wait for pod/nginx-default to be Ready with a timeout) before attempting to read logs, and consider ensuring cleanup runs even if verification fails.
| runtimeClassName: kata-qemu | ||
| containers: | ||
| - name: nginx | ||
| image: nginx:latest |
There was a problem hiding this comment.
Using nginx:latest makes the deployed workload non-reproducible and can unexpectedly change over time. Pin to a specific version tag or (preferably) an immutable image digest to ensure deterministic behavior and reduce supply-chain risk.
| image: nginx:latest | |
| image: nginx:1.27.0 |
Merge Checklist
All boxes should be checked before merging the PR
Description
Fixes # (issue)
Any Newly Introduced Dependencies
How Has This Been Tested?