ci: update CI for cc-kbc

Added CI tests for cc-kbc & occlum. The test will only cover HW mode.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>

.github/workflows/e2e.yaml

@@ -21,13 +21,19 @@ jobs:
         include:
           - runner: sgx-ecc
             sgx_mode: HW
+            kbc: eaa-kbc
+          - runner: sgx-ecc
+            sgx_mode: HW
+            kbc: cc-kbc
           - runner: ubuntu-22.04
             sgx_mode: SIM
+            kbc: sample-kbc
 
-    name: SGX_MODE=${{ matrix.sgx_mode }}
+    name: SGX_MODE=${{ matrix.sgx_mode }} KBC=${{ matrix.kbc }}
     runs-on: ${{ matrix.runner }}
     env:
       SGX_MODE: ${{ matrix.sgx_mode }}
+      KBC: ${{ matrix.kbc }}
       PAYLOAD_ARTIFACTS: ${{ github.workspace }}/coco
 
     steps:
@@ -81,7 +87,7 @@ jobs:
       - name: Build agent-enclave bundle
         run: |
           mkdir $PAYLOAD_ARTIFACTS
-          docker build . -f tools/packaging/build/agent-enclave-bundle/Dockerfile --build-arg SGX_MODE=${SGX_MODE} -t agent-instance:build
+          docker build . -f tools/packaging/build/agent-enclave-bundle/Dockerfile --build-arg SGX_MODE=${SGX_MODE} --build-arg KBC=${KBC} -t agent-instance:build
           docker export $(docker create agent-instance:build) | tee > ${PAYLOAD_ARTIFACTS}/agent-instance.tar
         working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc
 
@@ -108,7 +114,7 @@ jobs:
       - name: Install decrypt_config.conf and ocicrypt.conf for agent-enclave bundle
         run: |
           sudo install -D -t $PAYLOAD_ARTIFACTS/opt/confidential-containers/share/enclave-cc-agent-instance/rootfs/configs ocicrypt.conf
-          sudo install decrypt_config-$SGX_MODE.conf $PAYLOAD_ARTIFACTS/opt/confidential-containers/share/enclave-cc-agent-instance/rootfs/configs/decrypt_config.conf
+          sudo install decrypt_config-$SGX_MODE-$KBC.conf $PAYLOAD_ARTIFACTS/opt/confidential-containers/share/enclave-cc-agent-instance/rootfs/configs/decrypt_config.conf
         working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/test/e2e
 
       - name: Test image pull and unpack
@@ -126,7 +132,7 @@ jobs:
       - name: Test image decryption
         run: |
           SANDBOX_ID=$(sudo crictl runp --runtime enclavecc sandbox.json)
-          CONTAINER_ID=$(sudo crictl create --with-pull $SANDBOX_ID hello-world-encrypted-$SGX_MODE.json sandbox.json)
+          CONTAINER_ID=$(sudo crictl create --with-pull $SANDBOX_ID hello-world-encrypted-$SGX_MODE-$KBC.json sandbox.json)
           sudo crictl start $CONTAINER_ID
           sleep 5
           sudo crictl logs $CONTAINER_ID

test/e2e/decrypt_config-HW-cc-kbc.conf

@@ -0,0 +1,4 @@
+{
+    "key_provider": "provider:attestation-agent:cc_kbc::http://127.0.0.1:8080",
+    "security_validate": true
+}

test/e2e/hello-world-encrypted-HW-eaa-kbc.json

@@ -0,0 +1,20 @@
+{
+  "metadata": {
+    "name": "hello-world-encrypted-container"
+  },
+  "image":{
+    "image": "ghcr.io/confidential-containers/test-container-enclave-cc:encrypted"
+  },
+  "envs": [
+    {"key": "OCCLUM_RELEASE_ENCLAVE", "value": "1"}
+  ],
+  "command": [
+    "/run/rune/boot_instance/build/bin/occlum-run",
+    "/bin/hello_world"
+  ],
+  "working_dir": "/run/rune/boot_instance/",
+  "log_path":"hello.log",
+  "devices": [
+    {"container_path": "/dev/sgx_enclave", "host_path": "/dev/sgx_enclave", "permissions": "rw"}
+  ]
+}

tools/packaging/build/agent-enclave-bundle/Dockerfile

@@ -1,6 +1,7 @@
 FROM ubuntu:20.04 as builder
 
 ARG RATS_TLS_REV=5de6fc308f2a18f4105429451c85e6173b42ab9d
+ARG KBC=cc-kbc
 
 RUN apt-get update && \
     env DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
@@ -63,7 +64,7 @@ RUN git clone https://github.com/inclavare-containers/rats-tls.git && \
 COPY src/ /enclave-cc/src/
 RUN cd /enclave-cc/src/enclave-agent && \
     . $HOME/.cargo/env && \
-    make
+    make ${KBC}
 
 WORKDIR /run/enclave-agent
 COPY tools/packaging/build/agent-enclave-bundle/enclave-agent.yaml .

tools/packaging/build/build_payload.sh

@@ -4,6 +4,7 @@ set -e
 CI=${CI:-no}
 PUSH=${PUSH:-no}
 SGX_MODE=${SGX_MODE:-HW}
+KBC=${KBC:-cc-kbc}
 GO_VERSION=${GO_VERSION:-1.19}
 if [ "${CI}" == "yes" ]; then
 	DEFAULT_IMAGE=quay.io/confidential-containers/runtime-payload-ci:enclave-cc-${SGX_MODE}-$(git rev-parse HEAD)
@@ -22,7 +23,7 @@ mkdir -p ${PAYLOAD_ARTIFACTS}
 
 # build pre-installed OCI bundle for agent enclave container
 pushd ${SCRIPT_ROOT}/agent-enclave-bundle
-docker build ${ENCLAVE_CC_ROOT} -f ${SCRIPT_ROOT}/agent-enclave-bundle/Dockerfile --build-arg SGX_MODE=${SGX_MODE} -t agent-instance
+docker build ${ENCLAVE_CC_ROOT} -f ${SCRIPT_ROOT}/agent-enclave-bundle/Dockerfile --build-arg SGX_MODE=${SGX_MODE} --build-arg KBC=${KBC} -t agent-instance
 jq -a -f sgx-mode-config.filter config.json.template | tee ${PAYLOAD_ARTIFACTS}/config.json
 docker export $(docker create agent-instance) | tee > ${PAYLOAD_ARTIFACTS}/agent-instance.tar
 popd