Skip to content

podvm: Enable se image build for rhel with and without --no-verify #605

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: devel
Choose a base branch
from
Open

podvm: Enable se image build for rhel with and without --no-verify #605

wants to merge 1 commit into from

Conversation

ANJANA-A-R-K
Copy link
Contributor

Made changes to build RHEL SE enabled podvm image with an extra Arg of SE_VERIFY=true

- Description of the problem which is fixed/What is the use case
This PR introduces an additional feature to verify and download required certificates for secure environments when the SE_VERIFY tag is set to true

- What I did
I added a conditional block that checks if the SE_VERIFY environment variable is set to true. If so, it performs the following actions:

Downloads the IBM Z Host Key Signing Certificate (ibm-z-host-key-signing-gen2.crt).

Downloads the DigiCert CA certificate (DigiCertCA.crt).

Downloads the IBM Z Host Key CRL (ibm-z-host-key-gen2.crl).

- How to verify it
Built and deploy the pod VM image.

[root@bastion-rr-initdata ~]# oc get pods
NAME          READY   STATUS    RESTARTS   AGE
busybox-new   1/1     Running   0          41s

- Description for the changelog
Added SE_VERIFY flag to enable downloading and verifying security certificates for secure prod environments.

@ANJANA-A-R-K
podvm: Enable se image build for rhel with and without --no-verify
2cd0fe9 
Made changes to build RHEL SE enabled podvm image with an extra Arg of SE_VERIFY=true

Signed-off-by: ANJANA-A-R-K <[email protected]>
@openshift-ci openshift-ci bot requested review from gkurz and jensfr April 9, 2025 12:33
@openshift-ci openshift-ci bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 9, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Apr 9, 2025

Hi @ANJANA-A-R-K. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

bpradipt
bpradipt reviewed Apr 10, 2025
View reviewed changes
config/peerpods/podvm/libvirt-podvm-image-cm.yaml

# For Pre-built PodVM images.
PODVM_IMAGE_URI: "" # eg: oci::quay.io/openshift_sandboxed_containers/libvirt-podvm-image:latest::/image/podvm.qcow2

# Name of PodVM qcow2 to be built.
IMAGE_NAME: "podvm-image"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is IMAGE_NAME used in libvirt handler ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes it is being referenced in cloud-api-adaptor https://github.com/confidential-containers/cloud-api-adaptor/blob/0fb6afebc06909a2a6da62f389bb3abe5eda05f2/src/cloud-api-adaptor/podvm/Makefile.inc#L70
without this parameter the image creation jobs fails.
Makefile.inc:77: *** Failed to derive an image name. Explicitly define IMAGE_NAME. Stop.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: For other providers we are setting IMAGE_NAME in the handler code. You may want to check that to be sure..

bpradipt
bpradipt approved these changes Apr 11, 2025
View reviewed changes
Copy link
Contributor

@bpradipt bpradipt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

snir911
snir911 approved these changes Apr 15, 2025
View reviewed changes
Copy link
Contributor

@snir911 snir911 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, also if it would make sense maybe it should be considered to have the certificates statically

@littlejawa
Copy link
Contributor

/ok-to-test

@openshift-ci openshift-ci bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 16, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Apr 16, 2025

@ANJANA-A-R-K: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bpradipt bpradipt bpradipt approved these changes

@snir911 snir911 snir911 approved these changes

@gkurz gkurz Awaiting requested review from gkurz

@jensfr jensfr Awaiting requested review from jensfr

Assignees
No one assigned
Labels
ok-to-test Indicates a non-member PR verified by an org member that is safe to test.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ANJANA-A-R-K @littlejawa @bpradipt @snir911