From d49b95cd6c2280b5c67909258ef25b2cf831cb85 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 25 Sep 2023 11:26:57 +0200 Subject: [PATCH] agent_image: Switch order of tests 4 and 5 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The reason for that being: ``` The test case 5 failed due to a specific behavior when using containerd and the snapshotter to download images. Containerd needs to fetch both the manifest and configuration of the image. In this case, both images`quay.io/kata-containers/confidential-containers:signed` and `quay.io/kata-containers/confidential-containers:unsigned` have the same IDs (sha256). Consequently, test case 4 downloaded image `quay.io/kata-containers/confidential-containers:signed`. So, in test case 5, when containerd detected that the image ID already existed, it used the manifest and image name from `quay.io/kata-containers/confidential-containers:signed` and passed it to kata instead of `quay.io/kata-containers/confidential-containers:unsigned`, resulting in the use of image `quay.io/kata-containers/confidential-containers:signed`. This explains the error in test case 5. As a temporary measure, deleting the image before running each test case should address this. ``` from: https://cloud-native.slack.com/archives/C039JSH0807/p1695618313572309?thread_ts=1695591000.697989&cid=C039JSH0807 Signed-off-by: Fabiano FidĂȘncio --- integration/kubernetes/confidential/agent_image.bats | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/integration/kubernetes/confidential/agent_image.bats b/integration/kubernetes/confidential/agent_image.bats index de5c815e8..de8cdace8 100644 --- a/integration/kubernetes/confidential/agent_image.bats +++ b/integration/kubernetes/confidential/agent_image.bats @@ -62,11 +62,6 @@ setup() { [ ${#rootfs[@]} -eq 1 ] } -@test "$test_tag Test can pull a unencrypted signed image from a protected registry" { - setup_signature_files - create_test_pod -} - @test "$test_tag Test cannot pull an unencrypted unsigned image from a protected registry" { setup_signature_files local container_config="$(new_pod_config "$image_unsigned_protected")" @@ -76,6 +71,11 @@ setup() { assert_logs_contain 'Validate image failed: The signatures do not satisfied! Reject reason: \[Match reference failed.\]' } +@test "$test_tag Test can pull a unencrypted signed image from a protected registry" { + setup_signature_files + create_test_pod +} + @test "$test_tag Test can pull an unencrypted unsigned image from an unprotected registry" { setup_signature_files pod_config="$(new_pod_config "$image_unsigned_unprotected")"