Provisioner: Add support to deploy kbs

Fixes: confidential-containers#1471
Signed-off-by: Kartik Joshi <kartikjoshi@microsoft.com>

test/e2e/main_test.go

@@ -18,6 +18,7 @@ var (
 	cloudProvider   string
 	provisioner     pv.CloudProvisioner
 	cloudAPIAdaptor *pv.CloudAPIAdaptor
+	keyBrokerService *pv.KeyBrokerService
 )
 
 func init() {
@@ -83,6 +84,12 @@ func TestMain(m *testing.M) {
 		log.Fatal(err)
 	}
 
+	// The DEPLOY_KBS is exported then provisioner will install kbs before installing CAA
+	shouldDeployKbs := false
+	if os.Getenv("DEPLOY_KBS") == "yes" {
+		shouldDeployKbs = true
+	}
+
 	if !shouldProvisionCluster {
 		// Look for a suitable kubeconfig file in the sequence: --kubeconfig flag,
 		// or KUBECONFIG variable, or $HOME/.kube/config.
@@ -110,6 +117,18 @@ func TestMain(m *testing.M) {
 			}
 		}
 
+		if shouldDeployKbs {
+			log.Info("Deploying kbs")
+
+			if keyBrokerService, err = pv.NewKeyBrokerService(cloudProvider); err != nil {
+				return ctx, err
+			}
+
+			if err = keyBrokerService.Deploy(ctx, cfg); err != nil {
+				return ctx, err
+			}
+		}
+
 		if podvmImage != "" {
 			log.Info("Podvm uploading")
 			if err = provisioner.UploadPodvm(podvmImage, ctx, cfg); err != nil {

test/provisioner/provision.go

@@ -9,6 +9,9 @@ import (
 	"os"
 	"os/exec"
 	"time"
+	"strings"
+	"path/filepath"
+	"io/ioutil"
 
 	"github.com/BurntSushi/toml"
 	log "github.com/sirupsen/logrus"
@@ -48,6 +51,11 @@ type CloudAPIAdaptor struct {
 	runtimeClass         *nodev1.RuntimeClass // The Kata Containers runtimeclass
 }
 
+type KeyBrokerService struct {
+        cloudProvider        string               // Cloud provider
+}
+
+
 type newInstallOverlayFunc func(installDir string) (InstallOverlay, error)
 
 var newInstallOverlayFunctions = make(map[string]newInstallOverlayFunc)
@@ -62,6 +70,25 @@ type InstallOverlay interface {
 	Edit(ctx context.Context, cfg *envconf.Config, properties map[string]string) error
 }
 
+func NewKeyBrokerService(provider string) (*KeyBrokerService, error) {
+	// Clone kbs repo
+	repoURL := "https://github.com/confidential-containers/kbs"
+	cmd := exec.Command("git", "clone", repoURL)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+
+	err := cmd.Run()
+	if err != nil {
+		fmt.Printf("Error running git clone: %v\n", err)
+		return nil, err
+	}
+
+
+	return &KeyBrokerService{
+		cloudProvider:        provider,
+	}, nil
+}
+
 func NewCloudAPIAdaptor(provider string, installDir string) (*CloudAPIAdaptor, error) {
 	namespace := "confidential-containers-system"
 
@@ -114,6 +141,110 @@ func GetInstallOverlay(provider string, installDir string) (InstallOverlay, erro
 	return overlayFunc(installDir)
 }
 
+// TODO: Use kustomize overlay to update this file
+func UpdateKbsKustomizationFile() error {
+	// Read the content of the existing kustomization.yaml file.
+	filePath := "base/kustomization.yaml"
+	content, err := ioutil.ReadFile(filePath)
+	if err != nil {
+		fmt.Printf("Error reading kustomization file: %v\n", err)
+		return err
+	}
+
+	// Convert the content to a string.
+	kustomizationContent := string(content)
+
+	// Define the values to update.
+	// TODO: take image name from properties file
+	newImageName := "quay.io/surajd/kbs"
+	newImageTag := "latest"
+
+	kustomizationContent = strings.Replace(kustomizationContent, "newName: ghcr.io/confidential-containers/key-broker-service", "newName: "+newImageName, -1)
+	kustomizationContent = strings.Replace(kustomizationContent, "newTag: built-in-as-v0.7.0", "newTag: "+newImageTag, -1)
+
+	// Write the updated content back to the same file.
+	err = ioutil.WriteFile(filePath, []byte(kustomizationContent), 0644)
+	if err != nil {
+		fmt.Printf("Error writing to kustomization file: %v\n", err)
+		return err
+	}
+
+	fmt.Println("Kustomization file updated successfully.")
+	return nil
+
+}
+
+func (p *KeyBrokerService) Deploy(ctx context.Context, cfg *envconf.Config) error {
+	originalDir, err := os.Getwd()
+	if err != nil {
+		fmt.Printf("Error getting the current working directory: %v\n", err)
+		return err
+	}
+
+	// jump to kbs kubernetes config directory
+	newDirectory := "kbs/config/kubernetes/"
+	err = os.Chdir(newDirectory)
+	if err != nil {
+		fmt.Printf("Error changing the working directory: %v\n", err)
+		return err
+	}
+
+	// Note: Use kustomize overlay to update this
+	err = UpdateKbsKustomizationFile()
+	if err != nil {
+		fmt.Printf("Error updating kustomization file: %v\n", err)
+		return err
+	}
+
+	// Deploy kbs
+	k8sCnfDir := filepath.Dir(os.Args[0])
+	fmt.Println(k8sCnfDir)
+
+	keyFile := filepath.Join(k8sCnfDir, "overlays/key.bin")
+	if _, err := os.Stat(keyFile); os.IsNotExist(err) {
+		fmt.Println("key.bin file does not exist")
+		//return err
+	}
+
+	kbsCert := filepath.Join(k8sCnfDir, "base/kbs.pem")
+	if _, err := os.Stat(kbsCert); os.IsNotExist(err) {
+		kbsKey := filepath.Join(k8sCnfDir, "base/kbs.key")
+		opensslGenPKeyCmd := exec.Command("openssl", "genpkey", "-algorithm", "ed25519")
+		opensslGenPKeyCmd.Stdout = os.Stdout
+		opensslGenPKeyCmd.Stderr = os.Stderr
+		if err := opensslGenPKeyCmd.Run(); err != nil {
+			fmt.Printf("Error generating key: %v\n", err)
+			return err
+		}
+
+		opensslPKeyCmd := exec.Command("openssl", "pkey", "-in", kbsKey, "-pubout", "-out", kbsCert)
+		opensslPKeyCmd.Stdout = os.Stdout
+		opensslPKeyCmd.Stderr = os.Stderr
+		if err := opensslPKeyCmd.Run(); err != nil {
+			fmt.Printf("Error creating kbs.pem: %v\n", err)
+			return err
+		}
+	}
+
+	kubectlApplyCmd := exec.Command("kubectl", "apply", "-k", k8sCnfDir+"/overlays")
+	kubectlApplyCmd.Stdout = os.Stdout
+	kubectlApplyCmd.Stderr = os.Stderr
+	if err := kubectlApplyCmd.Run(); err != nil {
+		fmt.Printf("Error running 'kubectl apply': %v\n", err)
+		return err
+	}
+
+	// Return to the original working directory.
+	err = os.Chdir(originalDir)
+	if err != nil {
+		fmt.Printf("Error changing back to the original working directory: %v\n", err)
+		return err
+	}
+
+	return nil
+}
+
+
 // Deletes the peer pods installation including the controller manager.
 func (p *CloudAPIAdaptor) Delete(ctx context.Context, cfg *envconf.Config) error {
 	client, err := cfg.NewClient()