-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kbs: Simplify deployments, split out IBM SE #521
kbs: Simplify deployments, split out IBM SE #521
Conversation
I've tested this on s390x (non-SE):
I don't have an SE LPAR, so @BbolroC can you test it on SE when you get a chance please? Thanks! |
kbs/config/kubernetes/deploy-kbs.sh
Outdated
@@ -22,18 +25,13 @@ kbs_cert="${k8s_cnf_dir}/base/kbs.pem" | |||
openssl pkey -in "${k8s_cnf_dir}/base/kbs.key" -pubout -out "${kbs_cert}" | |||
} | |||
|
|||
if [ "${ARCH}" == "s390x" ]; then | |||
if [ -n "${IBM_SE_CREDS_DIR:-}" ]; then | |||
if [ "${OVERLAY}" == "ibmse" ]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if [ "${OVERLAY}" == "ibmse" ]; then | |
if [ "${OVERLAY}" == "ibm-se" ]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed - thanks for the spot!
What are the arch specific settings in these deployments? It feels to me this |
That's fair - it looks like s390x doesn't need the same patch.yaml as x86, but otherwise they are very similar. The thought was to keep them together for flexibility, but I'm happy to try merging and having |
AFAUI, this just means
we can treat |
Hi Mikko, just to try and clarify what you are suggesting as I'm not sure what "back to where it was" is referencing. Is you suggestion that the "normal" deployment is like:
Then we'd have the ibm-se overlay still in
Sorry if I've misunderstood, I'm not great with kustomize! |
yes, this was exactly my thinking. "back to where it was" is referring to the point where we did not have any of that |
Cool - I'll work on this now. Thank you. |
b1d8297
to
48b3a34
Compare
Ok, updated now and re-tested on s390x:
|
48b3a34
to
d709aa4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pls double check ita
and custom_pccs
for x86_64
specific paths
other than that, LGTM.
ecd7959
to
00be657
Compare
Sorry about this - whilst I was working on the refactor I added a mental note to fix them too, but it got paged out, so thanks for keeping me on it! |
00be657
to
171389d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks!
Thanks for you review advice and patience! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. One little suggestion.
You might also think about adding a note or two to the docs about using s390x. There is one mention of setting an env var, but I don't see anything else about what users should do. Maybe they don't need to do anything else but still could be useful to note that. Maybe here or here.
171389d
to
c26d5fc
Compare
The IBM SE deployment, with an explanation of |
That's a good start. It's fine to put it off to another PR, but that doc doesn't mention what this dir is or when/why it should be setup. I assume the idea is that you need it if you want to verify an SE guest but not if you just want to run Trustee on s390x. |
Yeah, that's not something I'm an expert on, but it is specifically for SE, so I can try and make that clearer in the doc. Edit: I've added some more information and explanation, so hopefully it helps with the clarity? |
The current "s390x" overlay support is currently very SE specific, whereas deploying on non-SE s390x with the sample KBS is still an important scenario for our testing without specialised hardware. This scenario deployment matches the x86_64 deployment scenario, so let's go back to having a standard deployment, with a special case for ibm-se rather to reduce duplication. Update the documentation to clarify when and where `IBM_SE_CREDS_DIR` is needed. Signed-off-by: stevenhorsman <[email protected]>
c26d5fc
to
ce9e654
Compare
In confidential-containers/trustee#521 the overlays logic was modified to add non-SE s390x support and simplify non-ibm-se platforms. We need to update the logic in `kbs_k8s_deploy` to match and can remove the dummying of `IBM_SE_CREDS_DIR` for non-SE now Signed-off-by: stevenhorsman <[email protected]>
In confidential-containers/trustee#521 the overlays logic was modified to add non-SE s390x support and simplify non-ibm-se platforms. We need to update the logic in `kbs_k8s_deploy` to match and can remove the dummying of `IBM_SE_CREDS_DIR` for non-SE now Signed-off-by: stevenhorsman <[email protected]>
In confidential-containers#521 I re-worked the deploy-kbs script with overlays and didn't factor in that the key.bin needed to go to a different place for ibm-se, so it was causing: ``` trustee/kbs/config/kubernetes$ ls overlays/key.bin ls: cannot access 'overlays/key.bin': No such file or directory ``` on an SE system. I think the least bad way to resolve this is to move the ibm-se logic up before the key.bin check and rely on the updated `DEPLOYMENT_DIR` Signed-off-by: stevenhorsman <[email protected]>
In confidential-containers#521 I re-worked the deploy-kbs script with overlays and didn't factor in that the key.bin needed to go to a different place for ibm-se, so it was causing: ``` trustee/kbs/config/kubernetes$ ls overlays/key.bin ls: cannot access 'overlays/key.bin': No such file or directory ``` on an SE system. I think the least bad way to resolve this is to move the ibm-se logic up before the key.bin check and rely on the updated `DEPLOYMENT_DIR` Signed-off-by: stevenhorsman <[email protected]>
In confidential-containers#521 I re-worked the deploy-kbs script with overlays and didn't factor in that the key.bin needed to go to a different place for ibm-se, so it was causing: ``` trustee/kbs/config/kubernetes$ ls overlays/key.bin ls: cannot access 'overlays/key.bin': No such file or directory ``` on an SE system. I think the least bad way to resolve this is to move the ibm-se logic up before the key.bin check and rely on the updated `DEPLOYMENT_DIR` Also update the deployment doc instructions to add the ibm-se case Signed-off-by: stevenhorsman <[email protected]>
In confidential-containers#521 I re-worked the deploy-kbs script with overlays and didn't factor in that the key.bin needed to go to a different place for ibm-se, so it was causing: ``` trustee/kbs/config/kubernetes$ ls overlays/key.bin ls: cannot access 'overlays/key.bin': No such file or directory ``` on an SE system. I think the least bad way to resolve this is to move the ibm-se logic up before the key.bin check and rely on the updated `DEPLOYMENT_DIR` Also update the deployment doc instructions to add the ibm-se case Signed-off-by: stevenhorsman <[email protected]>
In confidential-containers#521 I re-worked the deploy-kbs script with overlays and didn't factor in that the key.bin needed to go to a different place for ibm-se, so it was causing: ``` trustee/kbs/config/kubernetes$ ls overlays/key.bin ls: cannot access 'overlays/key.bin': No such file or directory ``` on an SE system. I think the least bad way to resolve this is to move the ibm-se logic up before the key.bin check and rely on the updated `DEPLOYMENT_DIR` Also update the deployment doc instructions to add the ibm-se case Signed-off-by: stevenhorsman <[email protected]>
In confidential-containers#521 I re-worked the deploy-kbs script with overlays and didn't factor in that the key.bin needed to go to a different place for ibm-se, so it was causing: ``` trustee/kbs/config/kubernetes$ ls overlays/key.bin ls: cannot access 'overlays/key.bin': No such file or directory ``` on an SE system. I think the least bad way to resolve this is to move the ibm-se logic up before the key.bin check and rely on the updated `DEPLOYMENT_DIR` Also update the deployment doc instructions to add the ibm-se case Signed-off-by: stevenhorsman <[email protected]>
The current "s390x" overlay support is currently very SE specific, whereas deploying on non-SE s390x with the sample KBS is still an important scenario for our testing without specialised hardware.
Let's separate out the ibmse overlay(s), and update deploy-kbs.sh to help make the s390x non-SE scenario easier.