From d27be20bff5059de7b29533c54f9840285659bb7 Mon Sep 17 00:00:00 2001
From: stevenhorsman <steven@uk.ibm.com>
Date: Thu, 10 Oct 2024 16:33:00 +0100
Subject: [PATCH 1/2] test: Add checkout kbs helper script

We have duplicate code in multiple e2e workflows
and manual doc instructions for checking out the KBS
repo and switching to the correct branch. This both makes
updating it prone to errors/omissions and means that if we
make changes we can't test them in PRs due to the
`pull_request_target` limitation, so split these out into a
single script we can call from elsewhere.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
---
 .github/workflows/azure-e2e-test.yml          | 16 ++-------
 .github/workflows/e2e_libvirt.yaml            | 22 ++----------
 src/cloud-api-adaptor/test/e2e/README.md      | 19 ++--------
 .../test/utils/checkout_kbs.sh                | 36 +++++++++++++++++++
 4 files changed, 42 insertions(+), 51 deletions(-)
 create mode 100755 src/cloud-api-adaptor/test/utils/checkout_kbs.sh

diff --git a/.github/workflows/azure-e2e-test.yml b/.github/workflows/azure-e2e-test.yml
index 3c5e70cad..b0e3a2e88 100644
--- a/.github/workflows/azure-e2e-test.yml
+++ b/.github/workflows/azure-e2e-test.yml
@@ -235,21 +235,9 @@ jobs:
     - name: Extract kbs reference
       run: echo "KBS_VERSION=$(yq -e '.git.kbs.reference' versions.yaml)" >> "$GITHUB_ENV"
 
-    - name: Checkout kbs Repository
+    - name: Checkout KBS Repository
       run: |
-        rm -rf test/trustee
-        git clone https://github.com/confidential-containers/trustee test/trustee
-        pushd test/trustee
-        git checkout "${KBS_VERSION}"
-        pushd kbs/config/kubernetes/base/
-        # Trustee only updates their staging image reliably with sha tags,
-        # so switch to use that and convert the version to the sha
-        KBS_SHA=$(gh api repos/confidential-containers/trustee/commits/${KBS_VERSION} -q .sha)
-        kustomize edit set image kbs-container-image=ghcr.io/confidential-containers/staged-images/kbs:${KBS_SHA}
-        # For debugging
-        echo "Trustee deployment: $(cat kustomization.yaml). Images: $(cat kustomization.yaml | grep -A 5 images:)"
-        popd
-        popd
+        test/utils/checkout_kbs.sh
 
     - name: Run e2e test
       env:
diff --git a/.github/workflows/e2e_libvirt.yaml b/.github/workflows/e2e_libvirt.yaml
index f9cea62df..e4052d23a 100644
--- a/.github/workflows/e2e_libvirt.yaml
+++ b/.github/workflows/e2e_libvirt.yaml
@@ -106,27 +106,9 @@ jobs:
           curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | \
             bash -s /usr/local/bin
 
-      - name: Checkout kbs Repository and build kbs-client
+      - name: Checkout KBS Repository
         run: |
-          sudo apt-get update -y
-          sudo apt-get install -y build-essential pkg-config libssl-dev
-          git clone "${KBS_REPO}" test/trustee
-          pushd test/trustee
-          git checkout "${KBS_VERSION}"
-          pushd kbs
-          make CLI_FEATURES=sample_only cli
-          pushd config/kubernetes/base/
-          # Trustee only updates their staging image reliably with sha tags,
-          # so switch to use that and convert the version to the sha
-          KBS_SHA=$(gh api repos/confidential-containers/trustee/commits/${KBS_VERSION} -q .sha)
-          kustomize edit set image kbs-container-image=ghcr.io/confidential-containers/staged-images/kbs:${KBS_SHA}
-          # For debugging
-          echo "Trustee deployment: $(cat kustomization.yaml). Images: $(cat kustomization.yaml | grep -A 5 images:)"
-          popd
-          popd
-          # For debugging
-          ls ./target/release
-          popd
+          test/utils/checkout_kbs.sh
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
diff --git a/src/cloud-api-adaptor/test/e2e/README.md b/src/cloud-api-adaptor/test/e2e/README.md
index d8e9b5d43..1871af281 100644
--- a/src/cloud-api-adaptor/test/e2e/README.md
+++ b/src/cloud-api-adaptor/test/e2e/README.md
@@ -57,25 +57,10 @@ $ RUN_TESTS=CreateSimplePod TEST_PROVISION=yes TEST_PODVM_IMAGE="path/to/podvm-b
 ## Attestation and KBS specific
 
 We need artifacts from the trustee repo when doing the attestation tests.
-To prepare trustee, execute the following steps:
+To prepare trustee, execute the following helper script:
 
 ```sh
-pushd ${cloud-api-adaptor-repo-dir}/src/cloud-api-adaptor/test
-git clone https://github.com/confidential-containers/trustee.git
-pushd trustee
-KBS_VERSION=$(../../hack/yq-shim.sh '.git.kbs.reference' ../../versions.yaml)
-git checkout ${KBS_VERSION}
-pushd kbs
-pushd config/kubernetes/base/
-# Trustee only updates their staging image reliably with sha tags,
-# so switch to use that and convert the version to the sha
-KBS_SHA=$(gh api repos/confidential-containers/trustee/commits/${KBS_VERSION} -q .sha)
-kustomize edit set image kbs-container-image=ghcr.io/confidential-containers/staged-images/kbs:${KBS_SHA}
-popd
-make CLI_FEATURES=sample_only cli
-popd
-popd
-popd
+${cloud-api-adaptor-repo-dir}/src/cloud-api-adaptor/test/utils/checkout_kbs.sh
 ```
 
 We need build and use the PodVM image:
diff --git a/src/cloud-api-adaptor/test/utils/checkout_kbs.sh b/src/cloud-api-adaptor/test/utils/checkout_kbs.sh
new file mode 100755
index 000000000..6eec5eb66
--- /dev/null
+++ b/src/cloud-api-adaptor/test/utils/checkout_kbs.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+#
+# Copyright (c) 2024 IBM Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -euo pipefail
+
+TEST_DIR=$(cd "$(dirname "$(realpath "$0")")/../"; pwd)
+
+VERSIONS_YAML_PATH=$(realpath "${TEST_DIR}/../versions.yaml")
+
+KBS_REPO=$(yq -e '.git.kbs.url' "${VERSIONS_YAML_PATH}")
+KBS_VERSION=$(yq -e '.git.kbs.reference' "${VERSIONS_YAML_PATH}")
+
+echo "${KBS_REPO}, ${KBS_VERSION}"
+
+rm -rf "${TEST_DIR}/trustee"
+git clone "${KBS_REPO}" "${TEST_DIR}/trustee"
+pushd "${TEST_DIR}/trustee"
+git checkout "${KBS_VERSION}"
+
+# kbs-client setup - to be removed when we use the cached version instead
+sudo apt-get update -y
+sudo apt-get install -y build-essential pkg-config libssl-dev
+pushd kbs
+make CLI_FEATURES=sample_only cli
+popd
+
+pushd kbs/config/kubernetes/base/
+# Trustee only updates their staging image reliably with sha tags,
+# so switch to use that and convert the version to the sha
+KBS_SHA=$(gh api repos/confidential-containers/trustee/commits/${KBS_VERSION} -q .sha)
+kustomize edit set image kbs-container-image=ghcr.io/confidential-containers/staged-images/kbs:${KBS_SHA}
+# For debugging
+echo "Trustee deployment: $(cat kustomization.yaml). Images: $(grep -A 5 images: kustomization.yaml)"

From 115214803f8bbd0d40ffb9d49b6159bba134a40c Mon Sep 17 00:00:00 2001
From: stevenhorsman <steven@uk.ibm.com>
Date: Thu, 10 Oct 2024 18:37:41 +0100
Subject: [PATCH 2/2] workflow: Fix kustomize permissions issues

Add sudo to install and ensure it has execute permission
---
 .github/workflows/e2e_libvirt.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/e2e_libvirt.yaml b/.github/workflows/e2e_libvirt.yaml
index e4052d23a..5086c9b41 100644
--- a/.github/workflows/e2e_libvirt.yaml
+++ b/.github/workflows/e2e_libvirt.yaml
@@ -103,8 +103,9 @@ jobs:
       - name: Install kustomize
         run: |
           command -v kustomize >/dev/null || \
-          curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | \
+          sudo curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | \
             bash -s /usr/local/bin
+          sudo chmod a+x /usr/local/bin/kustomize
 
       - name: Checkout KBS Repository
         run: |