kbs: Remove oci.kbs version and references

Our KBS logic currently checks out the git.kbs version of code, but then edits
the deployment config to override the image based on the oci.kbs version.

This means that there is an assumption that the oci image
of the KBS is compatible with the kustomization, which might not
not always be the case and in the "always safe" case where the
image is built from that exact version of code (e.g. releases), just
means that we have to specify it in two places, so there isn't much advantage
to this approach.

This PR removes the oci.kbs image and versioning to avoid this
potential incompatibility and simplify trustee version updates.

Fixes: confidential-containers#2076
Signed-off-by: stevenhorsman <[email protected]>

.github/workflows/azure-e2e-test.yml

@@ -117,17 +117,10 @@ jobs:
           echo "TEST_PROVISION_FILE=${{ format(env.TEST_PROVISION_PATH_TEMPLATE, matrix.parameters.id) }}" >> "$GITHUB_ENV"
           echo "CLUSTER_NAME=${{ format(env.CLUSTER_NAME_TEMPLATE, matrix.parameters.id) }}" >> "$GITHUB_ENV"
 
-    - name: Extract provisioner environment
-      run: |
-        echo "KBS_IMAGE=$(yq -e '.oci.kbs.registry' versions.yaml)" >> "$GITHUB_ENV"
-        echo "KBS_IMAGE_TAG=$(yq -e '.oci.kbs.tag' versions.yaml)" >> "$GITHUB_ENV"
-
     - name: Create provisioner file
       env:
         AZURE_IMAGE_ID: ${{ inputs.podvm-image-id }}
         CAA_IMAGE: "${{ github.event.inputs.caa-image || needs.build-caa-container-image.outputs.caa-image }}"
-        KBS_IMAGE: ${{ github.event.inputs.kbs-image-id || env.KBS_IMAGE }}
-        KBS_IMAGE_TAG: ${{  github.event.inputs.kbs-image-tag || env.KBS_IMAGE_TAG}}
         AZURE_INSTANCE_SIZE: ${{ matrix.parameters.machine_type }}
       run: |
         echo "Provisioner file for ${{ matrix.parameters.id }}"
@@ -142,8 +135,6 @@ jobs:
           IS_CI_MANAGED_CLUSTER="true"
           MANAGED_IDENTITY_NAME="${{ secrets.AZURE_MANAGED_IDENTITY_NAME}}"
           CAA_IMAGE="${CAA_IMAGE}"
-          KBS_IMAGE="${KBS_IMAGE}"
-          KBS_IMAGE_TAG="${KBS_IMAGE_TAG}"
           AZURE_INSTANCE_SIZE="${AZURE_INSTANCE_SIZE}"
           TAGS="${{ env.TEST_TAGS }}"
           FEDERATED_CREDENTIAL_NAME="${{ env.CLUSTER_NAME }}"

src/cloud-api-adaptor/libvirt/config_libvirt.sh

@@ -118,7 +118,3 @@ rm -f libvirt.properties
 echo "libvirt_uri=\"qemu+ssh://${USER}@${IP}/system?no_verify=1\"" >> libvirt.properties
 echo "libvirt_ssh_key_file=\"id_rsa\"" >> libvirt.properties
 echo "CLUSTER_NAME=\"peer-pods\"" >> libvirt.properties
-KBS_IMAGE=$(./hack/yq-shim.sh '.oci.kbs.registry' ./versions.yaml)
-KBS_IMAGE_TAG=$(./hack/yq-shim.sh '.oci.kbs.tag' ./versions.yaml)
-[ -z ${KBS_IMAGE} ] || echo "KBS_IMAGE=\"${KBS_IMAGE}\"" >> libvirt.properties
-[ -z ${KBS_IMAGE_TAG} ] || echo "KBS_IMAGE_TAG=\"${KBS_IMAGE_TAG}\"" >> libvirt.properties

src/cloud-api-adaptor/test/e2e/README.md

@@ -81,12 +81,10 @@ popd
 
 Then extract the PodVM image and use it following [extracting-the-qcow2-image](../../podvm/README.md#extracting-the-qcow2-image)
 
-To deploy the KBS service and test attestation related cases, export the following variables like:
+To deploy the KBS service and test attestation related cases, export the following variable:
 
 ```sh
 export DEPLOY_KBS=yes
-export KBS_IMAGE=$(./hack/yq-shim.sh '.oci.kbs.registry' ./versions.yaml)
-export KBS_IMAGE_TAG=$(./hack/yq-shim.sh '.oci.kbs.tag' ./versions.yaml)
 ````
 
 # Running end-to-end tests against pre-configured cluster
@@ -256,4 +254,4 @@ func TestCloudProviderCreateSimplePod(t *testing.T) {
     assert := MyAssert{}
     DoTestCreateSimplePod(t, assert)
 }
-```
+```

src/cloud-api-adaptor/test/e2e/main_test.go

@@ -5,7 +5,6 @@ package e2e
 
 import (
 	"context"
-	"fmt"
 	"os"
 	"testing"
 
@@ -123,13 +122,7 @@ func TestMain(m *testing.M) {
 		var err error
 
 		// Get properties
-
 		props := provisioner.GetProperties(ctx, cfg)
-		if shouldDeployKbs {
-			if props["KBS_IMAGE"] == "" || props["KBS_IMAGE_TAG"] == "" {
-				return ctx, fmt.Errorf("kbs image not provided")
-			}
-		}
 
 		// Set CONTAINER_RUNTIME env variable if present in the properties
 		// Default value is containerd.

src/cloud-api-adaptor/test/provisioner/azure/provision_azure.properties

@@ -14,10 +14,6 @@ AZURE_CLI_AUTH="false"
 IS_CI_MANAGED_CLUSTER="false"
 IS_SELF_MANAGED_CLUSTER="false"
 
-# KBS configs
-KBS_IMAGE="${KBS_IMAGE}"
-KBS_IMAGE_TAG="${KBS_IMAGE_TAG}"
-
 AZURE_INSTANCE_SIZE="${AZURE_INSTANCE_SIZE}"
 
 # either "containerd" or "crio"

src/cloud-api-adaptor/test/provisioner/azure/provision_azure_cli_auth.properties

@@ -10,6 +10,4 @@ SSH_USERNAME=""
 AZURE_CLI_AUTH="true"
 IS_CI_MANAGED_CLUSTER="true"
 CAA_IMAGE="quay.io/confidential-containers/cloud-api-adaptor:latest"
-KBS_IMAGE="${KBS_IMAGE}"
-KBS_IMAGE_TAG="${KBS_IMAGE_TAG}"
 AZURE_INSTANCE_SIZE="${AZURE_INSTANCE_SIZE}"

src/cloud-api-adaptor/test/provisioner/azure/provision_common.go

@@ -359,8 +359,6 @@ func getPropertiesImpl() map[string]string {
 		"AZURE_IMAGE_ID":        AzureProps.ImageID,
 		"AZURE_SUBNET_ID":       AzureProps.SubnetID,
 		"AZURE_INSTANCE_SIZE":   AzureProps.InstanceSize,
-		"KBS_IMAGE":             AzureProps.KbsImage,
-		"KBS_IMAGE_TAG":         AzureProps.KbsImageTag,
 		"TAGS":                  AzureProps.Tags,
 		"CONTAINER_RUNTIME":     AzureProps.ContainerRuntime,
 	}

src/cloud-api-adaptor/test/provisioner/azure/provision_initializer.go

@@ -33,8 +33,6 @@ type AzureProperties struct {
 	IsCIManaged         bool
 	CaaImage            string
 	IsSelfManaged       bool
-	KbsImage            string
-	KbsImageTag         string
 	Tags                string
 
 	InstanceSize string
@@ -68,8 +66,6 @@ func initAzureProperties(properties map[string]string) error {
 		SshUserName:             properties["SSH_USERNAME"],
 		ManagedIdentityName:     properties["MANAGED_IDENTITY_NAME"],
 		CaaImage:                properties["CAA_IMAGE"],
-		KbsImage:                properties["KBS_IMAGE"],
-		KbsImageTag:             properties["KBS_IMAGE_TAG"],
 		InstanceSize:            properties["AZURE_INSTANCE_SIZE"],
 		Tags:                    properties["TAGS"],
 		FederatedCredentialName: properties["FEDERATED_CREDENTIAL_NAME"],

src/cloud-api-adaptor/test/provisioner/docker/provision_common.go

@@ -38,8 +38,6 @@ type DockerProperties struct {
 	PodvmImage       string
 	CaaImage         string
 	CaaImageTag      string
-	KbsImage         string
-	KbsImageTag      string
 	ContainerRuntime string
 }
 
@@ -55,8 +53,6 @@ func initDockerProperties(properties map[string]string) error {
 		PodvmImage:       properties["DOCKER_PODVM_IMAGE"],
 		CaaImage:         properties["CAA_IMAGE"],
 		CaaImageTag:      properties["CAA_IMAGE_TAG"],
-		KbsImage:         properties["KBS_IMAGE"],
-		KbsImageTag:      properties["KBS_IMAGE_TAG"],
 		ContainerRuntime: properties["CONTAINER_RUNTIME"],
 	}
 	return nil
@@ -138,8 +134,6 @@ func (l *DockerProvisioner) GetProperties(ctx context.Context, cfg *envconf.Conf
 		"DOCKER_PODVM_IMAGE":  DockerProps.PodvmImage,
 		"CAA_IMAGE":           DockerProps.CaaImage,
 		"CAA_IMAGE_TAG":       DockerProps.CaaImageTag,
-		"KBS_IMAGE":           DockerProps.KbsImage,
-		"KBS_IMAGE_TAG":       DockerProps.KbsImageTag,
 		"CONTAINER_RUNTIME":   DockerProps.ContainerRuntime,
 	}
 }

src/cloud-api-adaptor/test/provisioner/docker/provision_docker.properties

@@ -6,9 +6,5 @@ DOCKER_NETWORK_NAME="kind"
 CAA_IMAGE=""
 CAA_IMAGE_TAG=""
 
-# KBS configs
-KBS_IMAGE=""
-KBS_IMAGE_TAG=""
-
 # either "containerd" or "crio"
 CONTAINER_RUNTIME="containerd"

src/cloud-api-adaptor/test/provisioner/libvirt/provision_common.go

@@ -21,16 +21,14 @@ import (
 
 // LibvirtProvisioner implements the CloudProvisioner interface for Libvirt.
 type LibvirtProvisioner struct {
-	conn          *libvirt.Connect // Libvirt connection
-	network       string           // Network name
-	ssh_key_file  string           // SSH key file used to connect to Libvirt
-	storage       string           // Storage pool name
-	uri           string           // Libvirt URI
-	wd            string           // libvirt's directory path on this repository
-	volumeName    string           // Podvm volume name
-	clusterName   string           // Cluster name
-	kbs_image     string           // KBS Service OCI Image URL
-	kbs_image_tag string           // KBS Service OCI Image Tag
+	conn         *libvirt.Connect // Libvirt connection
+	network      string           // Network name
+	ssh_key_file string           // SSH key file used to connect to Libvirt
+	storage      string           // Storage pool name
+	uri          string           // Libvirt URI
+	wd           string           // libvirt's directory path on this repository
+	volumeName   string           // Podvm volume name
+	clusterName  string           // Cluster name
 }
 
 // LibvirtInstallOverlay implements the InstallOverlay interface
@@ -82,28 +80,16 @@ func NewLibvirtProvisioner(properties map[string]string) (pv.CloudProvisioner, e
 		clusterName = properties["cluster_name"]
 	}
 
-	kbs_image := "ghcr.io/confidential-containers/key-broker-service"
-	if properties["KBS_IMAGE"] != "" {
-		kbs_image = properties["KBS_IMAGE"]
-	}
-
-	kbs_image_tag := "latest"
-	if properties["KBS_IMAGE_TAG"] != "" {
-		kbs_image_tag = properties["KBS_IMAGE_TAG"]
-	}
-
 	// TODO: Check network and storage are not nil?
 	return &LibvirtProvisioner{
-		conn:          conn,
-		network:       network,
-		ssh_key_file:  ssh_key_file,
-		storage:       storage,
-		uri:           uri,
-		wd:            wd,
-		volumeName:    vol_name,
-		clusterName:   clusterName,
-		kbs_image:     kbs_image,
-		kbs_image_tag: kbs_image_tag,
+		conn:         conn,
+		network:      network,
+		ssh_key_file: ssh_key_file,
+		storage:      storage,
+		uri:          uri,
+		wd:           wd,
+		volumeName:   vol_name,
+		clusterName:  clusterName,
 	}, nil
 }
 
@@ -203,13 +189,11 @@ func (l *LibvirtProvisioner) DeleteVPC(ctx context.Context, cfg *envconf.Config)
 
 func (l *LibvirtProvisioner) GetProperties(ctx context.Context, cfg *envconf.Config) map[string]string {
 	return map[string]string{
-		"network":       l.network,
-		"podvm_volume":  l.volumeName,
-		"ssh_key_file":  l.ssh_key_file,
-		"storage":       l.storage,
-		"uri":           l.uri,
-		"KBS_IMAGE":     l.kbs_image,
-		"KBS_IMAGE_TAG": l.kbs_image_tag,
+		"network":      l.network,
+		"podvm_volume": l.volumeName,
+		"ssh_key_file": l.ssh_key_file,
+		"storage":      l.storage,
+		"uri":          l.uri,
 	}
 }
 

src/cloud-api-adaptor/test/provisioner/trustee_kbs.go

@@ -346,17 +346,7 @@ func (lio *KbsInstallOverlay) Delete(ctx context.Context, cfg *envconf.Config) e
 }
 
 func (lio *KbsInstallOverlay) Edit(ctx context.Context, cfg *envconf.Config, props map[string]string) error {
-	var err error
-	log.Infof("Updating kbs image with %q", props["KBS_IMAGE"])
-	if err = lio.overlay.SetKustomizeImage("kbs-container-image", "newName", props["KBS_IMAGE"]); err != nil {
-		return err
-	}
-
-	log.Infof("Updating kbs image tag with %q", props["KBS_IMAGE_TAG"])
-	if err = lio.overlay.SetKustomizeImage("kbs-container-image", "newTag", props["KBS_IMAGE_TAG"]); err != nil {
-		return err
-	}
-
+	// No edits needed here at the moment
 	return nil
 }
 

src/cloud-api-adaptor/test/tools/provisioner-cli/main.go

@@ -91,9 +91,7 @@ func main() {
 
 		if shouldDeployKbs {
 			log.Info("Deploying kbs")
-			if props["KBS_IMAGE"] == "" || props["KBS_IMAGE_TAG"] == "" {
-				log.Fatal("kbs image not provided")
-			}
+
 			keyBrokerService, err := pv.NewKeyBrokerService(props["CLUSTER_NAME"], cfg)
 			if err != nil {
 				log.Fatal(err)

src/cloud-api-adaptor/versions.yaml

@@ -51,6 +51,3 @@ oci:
   pause:
     registry: docker://registry.k8s.io/pause
     tag: 3.9
-  kbs:
-    registry: ghcr.io/confidential-containers/key-broker-service
-    tag: built-in-as-v0.10.1