Skip to content

Automate bare-metal trusted compute deployment in K3 environment. #411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jena-satyabrata wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Automate bare-metal trusted compute deployment in K3 environment. #411

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a2f0fe7
Automate bare-metal trusted compute deployment in K3 environment.
jena-satyabrata Mar 31, 2026
8f80ec7
Merge branch 'main' into dev/sbjena/baremetal_automation
shahmitu Apr 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
149 changes: 149 additions & 0 deletions baremetal/run_trusted_compute_baremetal.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,149 @@
#!/usr/bin/env bash

set -euo pipefail

PACKAGE_NAME="trusted-compute-installation-package"
PACKAGE_TAR="${PACKAGE_NAME}.tgz"
PACKAGE_REPO="registry-rs.edgeorchestration.intel.com/edge-orch/trusted-compute/baremetal/trusted-compute-installation-package"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
TEMP_DIR="$(mktemp -d -t tc-baremetal-setup-XXXXXX)"
PACKAGE_SOURCE="oras"

show_help() {
cat <<EOF
Usage: $(basename "$0") [OPTIONS]

Options:
--local-build Build package locally using make (make build)
--help Show this help and exit
--h Show this help and exit
-h Show this help and exit

Default behavior:
Pull latest trusted compute installation package from registry using ORAS.
EOF
}

is_k3s_installed() {
command -v k3s >/dev/null 2>&1 || [[ -x "/usr/local/bin/k3s" ]]
}

is_trusted_compute_present() {
[[ -d "/opt/kata" || -d "/opt/trustagent" || -d "/opt/verifier" ]]
}

cleanup() {
if [[ -d "${TEMP_DIR}" ]]; then
rm -rf "${TEMP_DIR}"
fi
}
trap cleanup EXIT

while [[ $# -gt 0 ]]; do
case "$1" in
--local-build)
PACKAGE_SOURCE="local"
;;
--help|--h|-h)
show_help
exit 0
;;
*)
echo "Error: Unknown option: $1"
echo
show_help
exit 1
;;
esac
shift
done

if [[ "${PACKAGE_SOURCE}" == "oras" ]]; then
if ! command -v oras >/dev/null 2>&1; then
echo "Error: oras not found in PATH"
echo "Install ORAS and re-run this script, or use --local-build."
exit 1
fi

echo "[1/9] Getting latest trusted compute package tag from registry"
TAG="$(oras repo tags "${PACKAGE_REPO}" | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' | sort -V | tail -n 1)"

if [[ -z "${TAG}" ]]; then
echo "Error: Could not resolve latest semantic version tag from ${PACKAGE_REPO}"
exit 1
fi

echo "[2/9] Pulling ${PACKAGE_REPO}:${TAG} with ORAS"
cd "${TEMP_DIR}"
oras pull "${PACKAGE_REPO}:${TAG}"
else
echo "[1/9] Building local installation package with make build"
cd "${SCRIPT_DIR}"
make build

if [[ ! -f "${SCRIPT_DIR}/${PACKAGE_TAR}" ]]; then
echo "Error: ${PACKAGE_TAR} was not created by make build"
exit 1
fi

echo "[2/9] Copying locally built package into temp directory: ${TEMP_DIR}"
cp "${SCRIPT_DIR}/${PACKAGE_TAR}" "${TEMP_DIR}/"
Comment on lines +80 to +90
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the --local-build flow the script remains in ${SCRIPT_DIR} after copying the tarball to ${TEMP_DIR}, but extraction runs tar -xvf \"${PACKAGE_TAR}\" from the current directory. This will fail (or extract the wrong file) because ${PACKAGE_TAR} is expected to be in ${TEMP_DIR}. Fix by extracting from ${TEMP_DIR} explicitly (e.g., cd \"${TEMP_DIR}\" before extraction or use tar -x... -C \"${TEMP_DIR}\" -f \"${TEMP_DIR}/${PACKAGE_TAR}\"). Also, since the file is .tgz, prefer using gzip-aware extraction flags/behavior to avoid portability issues.

Copilot uses AI. Check for mistakes.
fi

if [[ ! -f "${TEMP_DIR}/${PACKAGE_TAR}" ]]; then
echo "Error: ${PACKAGE_TAR} not found in temp directory"
exit 1
fi

echo "[3/9] Extracting ${PACKAGE_TAR}"
tar -xvf "${PACKAGE_TAR}"
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the --local-build flow the script remains in ${SCRIPT_DIR} after copying the tarball to ${TEMP_DIR}, but extraction runs tar -xvf \"${PACKAGE_TAR}\" from the current directory. This will fail (or extract the wrong file) because ${PACKAGE_TAR} is expected to be in ${TEMP_DIR}. Fix by extracting from ${TEMP_DIR} explicitly (e.g., cd \"${TEMP_DIR}\" before extraction or use tar -x... -C \"${TEMP_DIR}\" -f \"${TEMP_DIR}/${PACKAGE_TAR}\"). Also, since the file is .tgz, prefer using gzip-aware extraction flags/behavior to avoid portability issues.

Suggested change
tar -xvf "${PACKAGE_TAR}"
tar -xzvf "${TEMP_DIR}/${PACKAGE_TAR}" -C "${TEMP_DIR}"

Copilot uses AI. Check for mistakes.

if [[ ! -d "${TEMP_DIR}/${PACKAGE_NAME}" ]]; then
echo "Error: Expected directory ${PACKAGE_NAME} not found after extraction"
exit 1
fi

echo "[4/9] Entering ${PACKAGE_NAME}"
cd "${TEMP_DIR}/${PACKAGE_NAME}"

if is_trusted_compute_present; then
echo "[5/9] Existing Trusted Compute detected. Uninstalling k3s and cleaning directories"
sudo ./k3s/k3s.sh --uninstall || true
sudo rm -rf /opt/kata /opt/trustagent /opt/verifier
else
echo "[5/9] No existing Trusted Compute directories detected"
fi

if is_k3s_installed; then
echo "[6/9] k3s is already installed. Skipping k3s installation"
else
echo "[6/9] Installing k3s"
sudo ./k3s/k3s.sh --install
fi

echo "[7/9] Installing Trusted Compute Extension"
sudo ./install.sh

echo "[8/9] Deploying sample nginx trusted workload"
sudo kubectl create namespace nginx-test
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kubectl create namespace nginx-test will fail on re-runs if the namespace already exists, and because set -e is enabled the script will exit. Consider making this idempotent (e.g., use kubectl apply for the namespace definition, or check existence before creation) so the script can be safely re-run.

Suggested change
sudo kubectl create namespace nginx-test
sudo kubectl apply -f - <<'EOF'
apiVersion: v1
kind: Namespace
metadata:
name: nginx-test
EOF

Copilot uses AI. Check for mistakes.

sudo kubectl -n nginx-test apply -f - <<'EOF'
apiVersion: v1
kind: Pod
metadata:
name: nginx-default
namespace: nginx-test
spec:
runtimeClassName: kata-qemu
containers:
- name: nginx
image: nginx:latest
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using nginx:latest makes the deployed workload non-reproducible and can unexpectedly change over time. Pin to a specific version tag or (preferably) an immutable image digest to ensure deterministic behavior and reduce supply-chain risk.

Suggested change
image: nginx:latest
image: nginx:1.27.0

Copilot uses AI. Check for mistakes.
EOF

echo "[9/9] Verifying workload and cleaning up"
sudo kubectl get pods -n nginx-test
sudo kubectl describe pod nginx-default -n nginx-test
sudo kubectl logs nginx-default -n nginx-test
sudo kubectl delete namespace nginx-test
Comment on lines +143 to +147
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verification is prone to flakiness: kubectl logs (and even describe/get output expectations) can fail or be misleading if the pod hasn't started yet, and with set -e the script will exit early. Add an explicit wait (e.g., wait for pod/nginx-default to be Ready with a timeout) before attempting to read logs, and consider ensuring cleanup runs even if verification fails.

Copilot uses AI. Check for mistakes.

echo "Trusted Compute baremetal setup and sample workload test completed successfully."
Loading