Test upstream agent image

Modify containers test plan to test using images from upstream registry for the verifier, registrar, and agent. Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
RedHat-SP-Security · Aug 9, 2023 · d41e660 · d41e660
1 parent 28198ac
commit d41e660
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 11 deletions.
diff --git a/container/functional/keylime_agent_container-basic-attestation/test.sh b/container/functional/keylime_agent_container-basic-attestation/test.sh
@@ -8,6 +8,8 @@
 
 [ -n "$AGENT_DOCKERFILE" ] || AGENT_DOCKERFILE=Dockerfile.upstream.c9s
 
+[ -n "$REGISTRY" ] || REGISTRY=quay.io
+
 rlJournalStart
 
     rlPhaseStartSetup "Do the keylime setup"
@@ -51,11 +53,16 @@ rlJournalStart
         rlRun "limeconCreateNetwork ${CONT_NETWORK_NAME} 172.18.0.0/16"
         rlRun "limeUpdateConf agent registrar_ip '\"$SERVER_IP\"'"
 
-        #container image build and preparation
         rlRun "cp -r /var/lib/keylime/cv_ca ."
         rlAssertExists ./cv_ca/cacert.crt
-        IMAGE="agent_image"
-        rlRun "limeconPrepareImage $(realpath "${limeLibraryDir}"/"$AGENT_DOCKERFILE") ${IMAGE}"
+
+        # Pull or build agent image
+        TAG_AGENT="agent_image"
+        if [ -n "$AGENT_IMAGE" ]; then
+            rlRun "limeconPullImage $REGISTRY $AGENT_IMAGE $TAG_AGENT"
+        else
+            rlRun "limeconPrepareImage $(realpath "${limeLibraryDir}"/"$AGENT_DOCKERFILE") ${TAG_AGENT}"
+        fi
         TESTDIR_FIRST=$(limeCreateTestDir)
         TESTDIR_SECOND=$(limeCreateTestDir)
         rlRun "echo -e '#!/bin/bash\necho ok' > $TESTDIR_FIRST/good-script.sh && chmod a+x $TESTDIR_FIRST/good-script.sh"
@@ -69,7 +76,7 @@ rlJournalStart
         rlRun "limeconPrepareAgentConfdir $AGENT_ID_FIRST $IP_AGENT_FIRST confdir_$CONT_AGENT_FIRST"
 
         #run of first agent 
-        rlRun "limeconRunAgent $CONT_AGENT_FIRST $IMAGE $IP_AGENT_FIRST $CONT_NETWORK_NAME $TESTDIR_FIRST keylime_agent $PWD/confdir_$CONT_AGENT_FIRST $PWD/cv_ca"
+        rlRun "limeconRunAgent $CONT_AGENT_FIRST $TAG_AGENT $IP_AGENT_FIRST $CONT_NETWORK_NAME $TESTDIR_FIRST keylime_agent $PWD/confdir_$CONT_AGENT_FIRST $PWD/cv_ca"
         rlRun "limeWaitForAgentRegistration ${AGENT_ID_FIRST}"
 
         #setup of second agent
@@ -79,7 +86,7 @@ rlJournalStart
         rlRun "limeconPrepareAgentConfdir $AGENT_ID_SECOND $IP_AGENT_SECOND confdir_$CONT_AGENT_SECOND"
 
         #run of second agent
-        rlRun "limeconRunAgent $CONT_AGENT_SECOND $IMAGE $IP_AGENT_SECOND $CONT_NETWORK_NAME $TESTDIR_SECOND keylime_agent $PWD/confdir_$CONT_AGENT_SECOND $PWD/cv_ca"
+        rlRun "limeconRunAgent $CONT_AGENT_SECOND $TAG_AGENT $IP_AGENT_SECOND $CONT_NETWORK_NAME $TESTDIR_SECOND keylime_agent $PWD/confdir_$CONT_AGENT_SECOND $PWD/cv_ca"
         rlRun "limeWaitForAgentRegistration ${AGENT_ID_SECOND}"
 
         # create allowlist and excludelist for each agent

diff --git a/container/functional/keylime_ipv6_multihost/test.sh b/container/functional/keylime_ipv6_multihost/test.sh
@@ -11,6 +11,8 @@ HTTP_SERVER_PORT=8080
 [ -n "$REGISTRAR_DOCKERFILE" ] || REGISTRAR_DOCKERFILE=Dockerfile.upstream.c9s
 [ -n "$AGENT_DOCKERFILE" ] || AGENT_DOCKERFILE=Dockerfile.upstream.c9s
 
+[ -n "$REGISTRY" ] || REGISTRY=quay.io
+
 rlJournalStart
 
     rlPhaseStartSetup "Do the keylime setup"
@@ -38,13 +40,21 @@ rlJournalStart
         # prepare registrar container
         rlRun "limeUpdateConf registrar ip $IP_REGISTRAR"
 
-        #build verifier container
+        # Pull or build verifier container
         TAG_VERIFIER="verifier_image"
-        rlRun "limeconPrepareImage $(realpath "${limeLibraryDir}"/"${VERIFIER_DOCKERFILE}") ${TAG_VERIFIER}"
+        if [ -n "$VERIFIER_IMAGE" ]; then
+            rlRun "limeconPullImage $REGISTRY $VERIFIER_IMAGE $TAG_VERIFIER"
+        else
+            rlRun "limeconPrepareImage $(realpath "${limeLibraryDir}"/"${VERIFIER_DOCKERFILE}") ${TAG_VERIFIER}"
+        fi
 
-        #build registrar container
+        # Pull or build registrar container
         TAG_REGISTRAR="registrar_image"
-        rlRun "limeconPrepareImage $(realpath "${limeLibraryDir}"/"${REGISTRAR_DOCKERFILE}") ${TAG_REGISTRAR}"
+        if [ -n "$REGISTRAR_IMAGE" ]; then
+            rlRun "limeconPullImage $REGISTRY $REGISTRAR_IMAGE $TAG_REGISTRAR"
+        else
+            rlRun "limeconPrepareImage $(realpath "${limeLibraryDir}"/"${REGISTRAR_DOCKERFILE}") ${TAG_REGISTRAR}"
+        fi
 
         # if TPM emulator is present
         if limeTPMEmulated; then
@@ -79,10 +89,16 @@ rlJournalStart
         rlRun "limeUpdateConf tenant registrar_ip $IP_REGISTRAR"
 
         #setup of agent
-        TAG_AGENT="agent_image"
         CONT_AGENT="agent_container"
         rlRun "cp cv_ca/cacert.crt ."
-        rlRun "limeconPrepareImage $(realpath "${limeLibraryDir}"/"${AGENT_DOCKERFILE}") ${TAG_AGENT}"
+
+        # Pull or build agent image
+        TAG_AGENT="agent_image"
+        if [ -n "$AGENT_IMAGE" ]; then
+            rlRun "limeconPullImage $REGISTRY $AGENT_IMAGE $TAG_AGENT"
+        else
+            rlRun "limeconPrepareImage $(realpath "${limeLibraryDir}"/"$AGENT_DOCKERFILE") ${TAG_AGENT}"
+        fi
         rlRun "limeUpdateConf agent registrar_ip '\"[$IP_REGISTRAR]\"'"
         rlRun "limeconPrepareAgentConfdir $AGENT_ID $IP_AGENT confdir_$CONT_AGENT"
 

diff --git a/plans/upstream-keylime-containers.fmf b/plans/upstream-keylime-containers.fmf
@@ -8,6 +8,7 @@ environment+:
   REGISTRY: quay.io
   VERIFIER_IMAGE: keylime/keylime_verifier
   REGISTRAR_IMAGE: keylime/keylime_registrar
+  AGENT_IMAGE: keylime/keylime_agent
 
 discover:
   how: fmf