libvirt: enable customized opa file in kbs

Fixes: #1825 Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
confidential-containers · May 6, 2024 · f4e7810 · f4e7810
1 parent 88bf67d
commit f4e7810
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 7 deletions.
diff --git a/src/cloud-api-adaptor/test/e2e/main_test.go b/src/cloud-api-adaptor/test/e2e/main_test.go
@@ -101,6 +101,10 @@ func TestMain(m *testing.M) {
 		shouldDeployKbs = true
 	}
 
+	// The TEE_CUSTOMIZED_OPA is an option variable which specifies the opa file path
+	// such as: $HOME/trustee/kbs/sample_policies/allow_all.rego.
+	customizedOpaFile := os.Getenv("TEE_CUSTOMIZED_OPA")
+
 	if !shouldProvisionCluster {
 		// Look for a suitable kubeconfig file in the sequence: --kubeconfig flag,
 		// or KUBECONFIG variable, or $HOME/.kube/config.
@@ -154,9 +158,12 @@ func TestMain(m *testing.M) {
 
 			kbsparams = "cc_kbc::http://" + kbsEndpoint
 			log.Infof("KBS PARAMS: %s", kbsparams)
-			if cloudProvider == "libvirt" {
-				log.Info("Enable sample TEE for libvirt provider by change KBS OPA to allow all")
-				if err = keyBrokerService.EnableKbsAllowAllPolicy("http://" + kbsEndpoint); err != nil {
+			if customizedOpaFile != "" {
+				log.Info("Enable customized opa file in KBS service.")
+				if _, err := os.Stat(customizedOpaFile); err != nil {
+					return ctx, err
+				}
+				if err = keyBrokerService.EnableKbsCustomizedPolicy("http://"+kbsEndpoint, customizedOpaFile); err != nil {
 					return ctx, err
 				}
 			}

diff --git a/src/cloud-api-adaptor/test/provisioner/provision.go b/src/cloud-api-adaptor/test/provisioner/provision.go
@@ -381,12 +381,11 @@ func (p *KeyBrokerService) GetKbsEndpoint(ctx context.Context, cfg *envconf.Conf
 	return "", fmt.Errorf("Service %s not found", serviceName)
 }
 
-func (p *KeyBrokerService) EnableKbsAllowAllPolicy(kbsEndpoint string) error {
-	log.Info("EnableKbsAllowAllPolicy")
+func (p *KeyBrokerService) EnableKbsCustomizedPolicy(kbsEndpoint string, customizedOpaFile string) error {
+	log.Info("EnableKbsCustomizedPolicy")
 	kbsClientDir := filepath.Join(TRUSTEE_REPO_PATH, "target/release")
 	privateKey := "../../kbs/config/kubernetes/base/kbs.key"
-	policyFile := "../../kbs/sample_policies/allow_all.rego"
-	cmd := exec.Command("./kbs-client", "--url", kbsEndpoint, "config", "--auth-private-key", privateKey, "set-resource-policy", "--policy-file", policyFile)
+	cmd := exec.Command("./kbs-client", "--url", kbsEndpoint, "config", "--auth-private-key", privateKey, "set-resource-policy", "--policy-file", customizedOpaFile)
 	cmd.Dir = kbsClientDir
 	cmd.Env = os.Environ()
 	stdoutStderr, err := cmd.CombinedOutput()