azure-e2e-test: Add test for key release in kbs #1735

kartikjoshi21 · 2024-03-11T11:07:54Z

No description provided.

surajssd · 2024-04-10T19:20:09Z

This is blocked on getting #1684 in?

kartikjoshi21 · 2024-04-12T05:53:35Z

This is blocked on getting #1684 in?

This is just test update so it can be merged.

kartikjoshi21 · 2024-04-16T10:36:24Z

Steps to test this PR:

export AZURE_RESOURCE_GROUP="suraj-test-kartik-pr1518"
export AZURE_REGION="eastus"
az group create --name "${AZURE_RESOURCE_GROUP}" \
    --location "${AZURE_REGION}"

export AZURE_SUBSCRIPTION_ID=$(az account show --query id --output tsv)
export USER_ASSIGNED_IDENTITY_NAME="caa-${AZURE_RESOURCE_GROUP}"
az identity create \
    --name "${USER_ASSIGNED_IDENTITY_NAME}" \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --location "${AZURE_REGION}" \
    --subscription "${AZURE_SUBSCRIPTION_ID}"

export PRINCIPAL_ID="$(az identity show \
    --name "${USER_ASSIGNED_IDENTITY_NAME}" \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --subscription "${AZURE_SUBSCRIPTION_ID}" --query principalId -otsv)"

sleep 30
az role assignment create \
    --role Contributor \
    --assignee-object-id "${PRINCIPAL_ID}" \
    --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}"

export AZURE_CLIENT_ID="$(az identity show \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv)"

export CLUSTER_NAME="e2e"
export AZURE_IMAGE_ID="/CommunityGalleries/cocopodvm-d0e4f35f-5530-4b9c-8596-112487cdea85/Images/podvm_image0/Versions/2024.04.04"

# Docker image for KBS
# https://github.com/confidential-containers/kbs/pkgs/container/staged-images%2Fkbs

cat <<EOF >/tmp/provision_azure.properties
AZURE_CLIENT_ID="${AZURE_CLIENT_ID}"
AZURE_SUBSCRIPTION_ID="${AZURE_SUBSCRIPTION_ID}"
RESOURCE_GROUP_NAME="${AZURE_RESOURCE_GROUP}"
CLUSTER_NAME="${CLUSTER_NAME}"
LOCATION="${AZURE_REGION}"
SSH_KEY_ID="id_rsa.pub"
AZURE_IMAGE_ID="${AZURE_IMAGE_ID}"

AZURE_CLI_AUTH="true"
MANAGED_IDENTITY_NAME="${USER_ASSIGNED_IDENTITY_NAME}"

# Deploy the same one that is merged on the CAA main
KBS_IMAGE="ghcr.io/confidential-containers/staged-images/kbs"
KBS_IMAGE_TAG="84432a2a97da306399db5bc863c9324dbd8b95ac"

# Get the tag from: https://quay.io/repository/confidential-containers/cloud-api-adaptor?tab=tags&tag=latest
CAA_IMAGE="quay.io/confidential-containers/cloud-api-adaptor:273ec3d3f01b3a7ffcb84d7be6b5224e3d77e3e1"
EOF

touch install/overlays/azure/service-principal.env
ssh-keygen -t rsa -b 4096 -f install/overlays/azure/id_rsa -N "" -C [email protected]

pushd test/e2e
git clone [email protected]:confidential-containers/kbs.git

pushd kbs
git checkout 84432a2a97da306399db5bc863c9324dbd8b95ac
popd

# Now open a new terminal

export TEST_PROVISION_FILE=/tmp/provision_azure.properties
export CLOUD_PROVIDER=azure
export BUILTIN_CLOUD_PROVIDERS=azure
export DEPLOY_KBS=true
export TEST_PROVISION=true

make test-e2e

Test Results:

time="2024-04-16T14:19:02+05:30" level=info msg="Do setup"
time="2024-04-16T14:19:02+05:30" level=info msg="Cluster provisioning"
time="2024-04-16T14:19:02+05:30" level=info msg="Creating Resource group test-kbs-e2e.\n"
time="2024-04-16T14:19:09+05:30" level=info msg="Successfully Created Resource group test-kbs-e2e.\n"
time="2024-04-16T14:23:27+05:30" level=info msg="Successfully created federated identity credential \"e2eFederatedIdentityCredential\" in resource group \"test-kbs-e2e\""
time="2024-04-16T14:23:30+05:30" level=info msg="Successfully created federated identity credential \"e2eFederatedIdentityCredential\" in resource group \"test-kbs-e2e\""
time="2024-04-16T14:23:33+05:30" level=info msg="Sync cluster kubeconfig with current config context"
time="2024-04-16T14:23:34+05:30" level=info msg="Deploying kbs"
time="2024-04-16T14:23:34+05:30" level=info msg="creating key.bin"
/home/karikjoshi21/gitwork/cloud-api-adaptor/src/cloud-api-adaptor/test/e2e
time="2024-04-16T14:23:34+05:30" level=info msg="Creating kbs install overlay"
time="2024-04-16T14:23:34+05:30" level=info msg="Customize the overlay yaml file"
time="2024-04-16T14:23:34+05:30" level=info msg="Updating kbs image with \"ghcr.io/confidential-containers/staged-images/kbs\""
time="2024-04-16T14:23:34+05:30" level=info msg="Updating kbs image tag with \"84432a2a97da306399db5bc863c9324dbd8b95ac\""
time="2024-04-16T14:23:34+05:30" level=info msg="Creating kbs install overlay"
time="2024-04-16T14:23:34+05:30" level=info msg="Install Kbs"
Wait pod 'kbs-6756f977c5-lfjm6' status for Ready
pod 'kbs-6756f977c5-lfjm6' is Ready
Pod IP: 10.244.0.13
time="2024-04-16T14:23:58+05:30" level=info msg="KBS PARAMScc_kbc::http://10.244.0.13:8080:"
time="2024-04-16T14:23:58+05:30" level=info msg="Install Cloud API Adaptor"
time="2024-04-16T14:23:58+05:30" level=info msg="Deploy the Cloud API Adaptor"
time="2024-04-16T14:23:58+05:30" level=info msg="Install the controller manager"
Wait for the cc-operator-controller-manager deployment be available
time="2024-04-16T14:24:39+05:30" level=info msg="Customize the overlay yaml file"
time="2024-04-16T14:24:39+05:30" level=info msg="Updating CAA image with \"quay.io/confidential-containers/cloud-api-adaptor\""
time="2024-04-16T14:24:39+05:30" level=info msg="Updating CAA image tag with \"273ec3d3f01b3a7ffcb84d7be6b5224e3d77e3e1\""
time="2024-04-16T14:24:39+05:30" level=info msg="Updating CAA image digest with \"\""
time="2024-04-16T14:24:44+05:30" level=info msg="Install the cloud-api-adaptor"
Wait for the cc-operator-daemon-install DaemonSet be available
Wait for the pod cc-operator-daemon-install-zlzsd be ready
Wait for the cloud-api-adaptor-daemonset DaemonSet be available
Wait for the pod cloud-api-adaptor-daemonset-rc9w6 be ready
Wait for the kata-remote runtimeclass be created
time="2024-04-16T14:26:34+05:30" level=info msg="Installing peerpod-ctrl"
time="2024-04-16T14:26:44+05:30" level=info msg="Wait for the peerpod-ctrl deployment to be available"
time="2024-04-16T14:26:59+05:30" level=info msg="Creating namespace 'coco-pp-e2e-test-2a9e7a1a'..."
time="2024-04-16T14:27:00+05:30" level=info msg="Wait for namespace 'coco-pp-e2e-test-2a9e7a1a' be ready..."
time="2024-04-16T14:27:05+05:30" level=info msg="Wait for default serviceaccount in namespace 'coco-pp-e2e-test-2a9e7a1a'..."
time="2024-04-16T14:27:05+05:30" level=info msg="default serviceAccount exists, namespace 'coco-pp-e2e-test-2a9e7a1a' is ready for use"
=== RUN   TestDeletePodAzure
=== PAUSE TestDeletePodAzure
=== RUN   TestCreateSimplePodAzure
=== PAUSE TestCreateSimplePodAzure
=== RUN   TestCreateSimplePodWithNydusAnnotationAzure
=== PAUSE TestCreateSimplePodWithNydusAnnotationAzure
=== RUN   TestCreatePodWithConfigMapAzure
=== PAUSE TestCreatePodWithConfigMapAzure
=== RUN   TestCreatePodWithSecretAzure
=== PAUSE TestCreatePodWithSecretAzure
=== RUN   TestCreateNginxDeploymentAzure
=== PAUSE TestCreateNginxDeploymentAzure
=== RUN   TestKbsKeyRelease
=== PAUSE TestKbsKeyRelease
=== CONT  TestDeletePodAzure
=== CONT  TestCreatePodWithSecretAzure
=== CONT  TestCreateSimplePodWithNydusAnnotationAzure
=== CONT  TestCreatePodWithConfigMapAzure
=== RUN   TestDeletePodAzure/DeletePod_test
=== CONT  TestKbsKeyRelease
=== RUN   TestCreatePodWithConfigMapAzure/ConfigMapPeerPod_test
=== CONT  TestCreateNginxDeploymentAzure
=== RUN   TestCreateNginxDeploymentAzure/Nginx_image_deployment_test
=== CONT  TestCreateSimplePodAzure
=== RUN   TestCreateSimplePodAzure/SimplePeerPod_test
=== RUN   TestCreateSimplePodWithNydusAnnotationAzure/SimplePeerPod_test
=== RUN   TestCreatePodWithSecretAzure/SecretPeerPod_test
time="2024-04-16T14:27:05+05:30" level=info msg="Do test kbs key release"
=== RUN   TestKbsKeyRelease/KbsKeyReleasePod_test
time="2024-04-16T14:27:05+05:30" level=info msg="Creating nginx deployment..."
time="2024-04-16T14:27:11+05:30" level=info msg="Current deployment available replicas: 0"

=== NAME  TestDeletePodAzure/DeletePod_test
    assessment_runner.go:266: Waiting for containers in pod: deletion-test are ready
time="2024-04-16T14:28:11+05:30" level=info msg="Current deployment available replicas: 0"
=== NAME  TestCreateSimplePodAzure/SimplePeerPod_test
    assessment_runner.go:266: Waiting for containers in pod: simple-test are ready
=== NAME  TestCreateSimplePodWithNydusAnnotationAzure/SimplePeerPod_test
    assessment_runner.go:266: Waiting for containers in pod: alpine are ready
=== RUN   TestDeletePodAzure/DeletePod_test/Deletion_complete
=== NAME  TestCreatePodWithSecretAzure/SecretPeerPod_test
    assessment_runner.go:266: Waiting for containers in pod: busybox-secret-pod are ready
=== NAME  TestCreatePodWithConfigMapAzure/ConfigMapPeerPod_test
    assessment_runner.go:266: Waiting for containers in pod: busybox-configmap-pod are ready
time="2024-04-16T14:28:13+05:30" level=info msg="VM found in resource group"
time="2024-04-16T14:28:13+05:30" level=info msg="Deleting pod deletion-test..."
time="2024-04-16T14:28:16+05:30" level=info msg="Current deployment available replicas: 0"
=== NAME  TestKbsKeyRelease/KbsKeyReleasePod_test
    assessment_runner.go:266: Waiting for containers in pod: busybox-curl are ready
=== RUN   TestCreateSimplePodAzure/SimplePeerPod_test/PodVM_is_created
=== RUN   TestCreateSimplePodWithNydusAnnotationAzure/SimplePeerPod_test/PodVM_is_created
=== RUN   TestCreatePodWithSecretAzure/SecretPeerPod_test/Secret_has_been_created_and_contains_data
=== RUN   TestCreatePodWithConfigMapAzure/ConfigMapPeerPod_test/Configmap_is_created_and_contains_data
    assessment_runner.go:416: Output when execute test commands:
=== NAME  TestCreatePodWithSecretAzure/SecretPeerPod_test/Secret_has_been_created_and_contains_data
    assessment_runner.go:416: Output when execute test commands:
time="2024-04-16T14:28:18+05:30" level=info msg="VM found in resource group"
time="2024-04-16T14:28:18+05:30" level=info msg="Deleting pod simple-test..."
time="2024-04-16T14:28:18+05:30" level=info msg="Deleting Secret... busybox-secret"
time="2024-04-16T14:28:18+05:30" level=info msg="Deleting pod busybox-secret-pod..."
time="2024-04-16T14:28:18+05:30" level=info msg="Deleting Configmap... busybox-configmap"
time="2024-04-16T14:28:18+05:30" level=info msg="Deleting pod busybox-configmap-pod..."
=== NAME  TestCreateSimplePodWithNydusAnnotationAzure/SimplePeerPod_test/PodVM_is_created
    assessment_helpers.go:182: Pulled with nydus-snapshotter driver:2024/04/16 08:58:13 [adaptor/proxy]         mount_point:/run/kata-containers/bf738df01da6f486f4df456a25e63fde203f9d7a6c412419386b4c44d08c38ec/rootfs source:docker.io/library/alpine:latest fstype:overlay driver:image_guest_pull
time="2024-04-16T14:28:19+05:30" level=info msg="Deleting pod alpine..."
time="2024-04-16T14:28:21+05:30" level=info msg="Current deployment available replicas: 1"
=== RUN   TestKbsKeyRelease/KbsKeyReleasePod_test/Kbs_key_release_is_successfull
    assessment_runner.go:416: Output when execute test commands:
time="2024-04-16T14:28:23+05:30" level=info msg="VM found in resource group"
time="2024-04-16T14:28:23+05:30" level=info msg="Deleting pod busybox-curl..."
time="2024-04-16T14:28:26+05:30" level=info msg="Current deployment available replicas: 1"
time="2024-04-16T14:28:31+05:30" level=info msg="Current deployment available replicas: 2"
time="2024-04-16T14:28:31+05:30" level=info msg="nginx deployment is available now"
=== RUN   TestCreateNginxDeploymentAzure/Nginx_image_deployment_test/Access_for_nginx_deployment_test
time="2024-04-16T14:28:32+05:30" level=info msg="VM found in resource group"
time="2024-04-16T14:28:33+05:30" level=info msg="VM found in resource group"
time="2024-04-16T14:28:33+05:30" level=info msg="Deleting webserver deployment..."
time="2024-04-16T14:28:33+05:30" level=info msg="Deleting deployment nginx-deployment..."
time="2024-04-16T14:28:38+05:30" level=info msg="Deployment nginx-deployment has been successfully deleted within 120s"
--- PASS: TestCreateNginxDeploymentAzure (93.28s)
    --- PASS: TestCreateNginxDeploymentAzure/Nginx_image_deployment_test (93.28s)
        --- PASS: TestCreateNginxDeploymentAzure/Nginx_image_deployment_test/Access_for_nginx_deployment_test (2.31s)
time="2024-04-16T14:28:58+05:30" level=info msg="Pod deletion-test has been successfully deleted within 120s"
--- PASS: TestDeletePodAzure (112.98s)
    --- PASS: TestDeletePodAzure/DeletePod_test (112.98s)
        --- PASS: TestDeletePodAzure/DeletePod_test/Deletion_complete (1.67s)
time="2024-04-16T14:29:03+05:30" level=info msg="Pod simple-test has been successfully deleted within 120s"
--- PASS: TestCreateSimplePodAzure (118.07s)
    --- PASS: TestCreateSimplePodAzure/SimplePeerPod_test (118.07s)
        --- PASS: TestCreateSimplePodAzure/SimplePeerPod_test/PodVM_is_created (1.85s)
time="2024-04-16T14:29:03+05:30" level=info msg="Pod busybox-secret-pod has been successfully deleted within 120s"
--- PASS: TestCreatePodWithSecretAzure (118.35s)
    --- PASS: TestCreatePodWithSecretAzure/SecretPeerPod_test (118.35s)
        --- PASS: TestCreatePodWithSecretAzure/SecretPeerPod_test/Secret_has_been_created_and_contains_data (1.36s)
time="2024-04-16T14:29:04+05:30" level=info msg="Pod busybox-configmap-pod has been successfully deleted within 120s"
--- PASS: TestCreatePodWithConfigMapAzure (118.57s)
    --- PASS: TestCreatePodWithConfigMapAzure/ConfigMapPeerPod_test (118.57s)
        --- PASS: TestCreatePodWithConfigMapAzure/ConfigMapPeerPod_test/Configmap_is_created_and_contains_data (1.42s)
time="2024-04-16T14:29:05+05:30" level=info msg="Pod alpine has been successfully deleted within 120s"
--- PASS: TestCreateSimplePodWithNydusAnnotationAzure (119.49s)
    --- PASS: TestCreateSimplePodWithNydusAnnotationAzure/SimplePeerPod_test (119.49s)
        --- PASS: TestCreateSimplePodWithNydusAnnotationAzure/SimplePeerPod_test/PodVM_is_created (3.18s)
time="2024-04-16T14:29:08+05:30" level=info msg="Pod busybox-curl has been successfully deleted within 120s"
--- PASS: TestKbsKeyRelease (123.27s)
    --- PASS: TestKbsKeyRelease/KbsKeyReleasePod_test (123.27s)
        --- PASS: TestKbsKeyRelease/KbsKeyReleasePod_test/Kbs_key_release_is_successfull (1.95s)
PASS

src/cloud-api-adaptor/test/e2e/common.go

mkulke · 2024-04-16T11:43:09Z

src/cloud-api-adaptor/test/e2e/common_suite.go

+	pod := NewBusyboxCurlPod(E2eNamespace)
+	testCommands := []TestCommand{
+		{
+			Command:       []string{"curl", "http://127.0.0.1:8006/cdh/resource/reponame/workload_key/key.bin"},


busybox ships wget if we want to use busybox

The comment is reasonable to me, we don't need introduce new function NewAlpineCurlPod and can reuse NewBusyboxPodWithName directly. And change the command to:

[]string{"wget", "http://127.0.0.1:8006/cdh/resource/reponame/workload_key/key.bin"},

As I tried, the command should be:
wget -q -O- http://127.0.0.1:8006/cdh/resource/reponame/workload_key/key.bin, we need parameters -q -O- here.

So, command would be:

[]string{"wget", "-q", "-O-", "http://127.0.0.1:8006/cdh/resource/reponame/workload_key/key.bin"}

@kartikjoshi21

src/cloud-api-adaptor/test/e2e/common_suite.go

huoqifeng · 2024-04-16T12:30:13Z

http://10.244

@kartikjoshi21 @mkulke I'm a little confusion, seen from the code here https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/test/provisioner/provision.go#L329, I think the KBS-IP is the overlay IP assigned by CNI, it should match the log:

Wait pod 'kbs-6756f977c5-lfjm6' status for Ready
pod 'kbs-6756f977c5-lfjm6' is Ready
Pod IP: 10.244.0.13

So, IP 10.244.0.13 is an overlay IP. But from the service code here https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/podvm/files/etc/systemd/system/kata-agent.service, attestation-agent should use an IP that the PodVM instance can access. Does that mean the program running in PeerPod's root ns can reach to k8s overlay IP?

mkulke · 2024-04-16T15:28:22Z

@kartikjoshi21 @mkulke I'm a little confusion, seen from the code here https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/test/provisioner/provision.go#L329, I think the KBS-IP is the overlap IP assigned by CNI, it should match the log:
Wait pod 'kbs-6756f977c5-lfjm6' status for Ready
pod 'kbs-6756f977c5-lfjm6' is Ready
Pod IP: 10.244.0.13
So, IP 10.244.0.13 is an overlay IP. But from the service code here https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/podvm/files/etc/systemd/system/kata-agent.service, attestation-agent should use an IP that the PodVM instance can access. Does that mean the program running in PeerPod's root ns can reach to k8s overlay IP?

Good question, this is indeed unintuitive, I also stumbled over this. afaict that's a peculiarity of AKS's network configuration, see here:

With Azure Container Networking Interface every pod gets an IP address from the subnet and can be accessed directly.

So, the podvm's root network ns is still separated, but if the podvm runs in the same vnet, we're able to address a kbs pod with its pod ip. I think this won't work for k8s service ip and other cluster configurations, though.

So, if this will only work for AKS in this particular configuration, we should probably think about an alternative approach for addressing KBS from the PodVM's AA + CDH. Maybe a NodePort service for the kbs deployment?

huoqifeng · 2024-04-17T00:17:03Z

So, if this will only work for AKS in this particular configuration, we should probably think about an alternative approach for addressing KBS from the PodVM's AA + CDH. Maybe a NodePort service for the kbs deployment?

Thanks @mkulke , which is reasonable to me now. Yeah, I tried the KBS NodePort IP in libvirt provider, it worked. I think we should make the change so that the e2e test cases suitable for all providers also. Its definitely a new issues :-)

surajssd · 2024-04-18T04:30:44Z

For me the tests fails because the trustee repo is not being mapped correctly.

$ make test-e2e
go test -v -tags=azure -timeout 60m -count=1 ./test/e2e
time="2024-04-18T04:26:18Z" level=info msg="Do setup"
time="2024-04-18T04:26:18Z" level=info msg="Deploying kbs"
time="2024-04-18T04:26:18Z" level=info msg="creating key.bin"
time="2024-04-18T04:26:18Z" level=error msg="creating file: open trustee/kbs/config/kubernetes/overlays/key.bin: no such file or directory\n"
F0418 04:26:18.949698   37015 env.go:369] Setup failure: creating file: open trustee/kbs/config/kubernetes/overlays/key.bin: no such file or directory
FAIL    github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/test/e2e     0.023s
FAIL
make: *** [Makefile:95: test-e2e] Error 1

I followed the following instructions:

# Test the PR 1735

export AZURE_RESOURCE_GROUP="suraj-test-kartik-pr1735-3"
export AZURE_REGION="eastus"
az group create --name "${AZURE_RESOURCE_GROUP}" \
    --location "${AZURE_REGION}"

export AZURE_SUBSCRIPTION_ID=$(az account show --query id --output tsv)
export USER_ASSIGNED_IDENTITY_NAME="caa-${AZURE_RESOURCE_GROUP}"
az identity create \
    --name "${USER_ASSIGNED_IDENTITY_NAME}" \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --location "${AZURE_REGION}" \
    --subscription "${AZURE_SUBSCRIPTION_ID}"

export PRINCIPAL_ID="$(az identity show \
    --name "${USER_ASSIGNED_IDENTITY_NAME}" \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --subscription "${AZURE_SUBSCRIPTION_ID}" --query principalId -otsv)"

sleep 30
az role assignment create \
    --role Contributor \
    --assignee-object-id "${PRINCIPAL_ID}" \
    --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}"

export AZURE_CLIENT_ID="$(az identity show \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv)"

export CLUSTER_NAME="e2e"
export AZURE_IMAGE_ID="/CommunityGalleries/cocopodvm-d0e4f35f-5530-4b9c-8596-112487cdea85/Images/podvm_image0/Versions/2024.04.17"

# Docker image for KBS
# https://github.com/confidential-containers/kbs/pkgs/container/staged-images%2Fkbs

cat <<EOF >/tmp/provision_azure.properties
AZURE_CLIENT_ID="${AZURE_CLIENT_ID}"
AZURE_SUBSCRIPTION_ID="${AZURE_SUBSCRIPTION_ID}"
RESOURCE_GROUP_NAME="${AZURE_RESOURCE_GROUP}"
CLUSTER_NAME="${CLUSTER_NAME}"
LOCATION="${AZURE_REGION}"
SSH_KEY_ID="id_rsa.pub"
AZURE_IMAGE_ID="${AZURE_IMAGE_ID}"

AZURE_CLI_AUTH="true"
MANAGED_IDENTITY_NAME="${USER_ASSIGNED_IDENTITY_NAME}"

# Deploy the same one that is merged on the CAA main
KBS_IMAGE="ghcr.io/confidential-containers/staged-images/kbs"
KBS_IMAGE_TAG="84432a2a97da306399db5bc863c9324dbd8b95ac"

# Get the tag from: https://quay.io/repository/confidential-containers/cloud-api-adaptor?tab=tags&tag=latest
CAA_IMAGE="quay.io/confidential-containers/cloud-api-adaptor:d32c2e6f92dd610a688c78d92c463f39781b8416"
EOF

pushd src/cloud-api-adaptor/
ssh-keygen -t rsa -b 4096 -f install/overlays/azure/id_rsa -N "" -C [email protected]

pushd test/tools
git clone [email protected]:confidential-containers/trustee.git

pushd trustee
git checkout 84432a2a97da306399db5bc863c9324dbd8b95ac
popd
popd

# Now open a new terminal

export TEST_PROVISION_FILE=/tmp/provision_azure.properties
export CLOUD_PROVIDER=azure
export BUILTIN_CLOUD_PROVIDERS=azure
export DEPLOY_KBS=true
export TEST_PROVISION=true

pushd test/tools
make caa-provisioner-cli
./caa-provisioner-cli -action=provision

popd

make test-e2e

I cloned the trustee repo in the folder test/tools instead of test/e2e.

If I cloned it in the test/e2e (as the instructions here: #1735 (comment)) then the ./caa-provisioner-cli -action=provision would fail saying it couldn't find the trustee folder. So I am not sure if the trustee folder should be in test/tools or test/e2e?

surajssd · 2024-04-18T04:41:38Z

So essentially ./caa-provisioner-cli -action=provision needs the trustee to be in test/tools.
And make test-e2e wants the trustee repo to be in test/e2e. So we need to fix logic so that it is available to both.

kartikjoshi21 · 2024-04-24T08:46:57Z

So essentially ./caa-provisioner-cli -action=provision needs the trustee to be in test/tools. And make test-e2e wants the trustee repo to be in test/e2e. So we need to fix logic so that it is available to both.

In CI we do ./caa-provisioner-cli -action=createcluster It doesn't require trustee repo. So i think we just need to clone repo only at one place.

kartikjoshi21 · 2024-04-24T09:22:39Z

Tested this change along with other two changes #1812 and #1684 . Things passes in CI now.

This is run on my fork: https://github.com/kartikjoshi21/cloud-api-adaptor/actions/runs/8813015156/job/24190065704

@surajssd @mkulke

mkulke

lgtm

surajssd · 2024-04-26T00:32:49Z

So essentially ./caa-provisioner-cli -action=provision needs the trustee to be in test/tools. And make test-e2e wants the trustee repo to be in test/e2e. So we need to fix logic so that it is available to both.

In CI we do ./caa-provisioner-cli -action=createcluster It doesn't require trustee repo. So i think we just need to clone repo only at one place.

When I use that I cannot get the CAA running, it fails with the following error:

$ kl -n confidential-containers-system cloud-api-adaptor-daemonset-bjfp6
$AZURE_SUBNET_ID is NOT set

I think we have -action=provisioner because it takes care of the basic installation.

My deployment instructions:

# Test the PR 1735

export AZURE_RESOURCE_GROUP="suraj-test-kartik-pr1735-1"
export AZURE_REGION="eastus"
az group create --name "${AZURE_RESOURCE_GROUP}" \
    --location "${AZURE_REGION}"

export AZURE_SUBSCRIPTION_ID=$(az account show --query id --output tsv)
export USER_ASSIGNED_IDENTITY_NAME="caa-${AZURE_RESOURCE_GROUP}"
az identity create \
    --name "${USER_ASSIGNED_IDENTITY_NAME}" \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --location "${AZURE_REGION}" \
    --subscription "${AZURE_SUBSCRIPTION_ID}"

export PRINCIPAL_ID="$(az identity show \
    --name "${USER_ASSIGNED_IDENTITY_NAME}" \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --subscription "${AZURE_SUBSCRIPTION_ID}" --query principalId -otsv)"

sleep 30
az role assignment create \
    --role Contributor \
    --assignee-object-id "${PRINCIPAL_ID}" \
    --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}"

export AZURE_CLIENT_ID="$(az identity show \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv)"

export CLUSTER_NAME="e2e"
export AZURE_IMAGE_ID="/CommunityGalleries/cocopodvm-d0e4f35f-5530-4b9c-8596-112487cdea85/Images/podvm_image0/Versions/2024.04.25"

# Docker image for KBS
# https://github.com/confidential-containers/kbs/pkgs/container/staged-images%2Fkbs

cat <<EOF >/tmp/provision_azure.properties
AZURE_CLIENT_ID="${AZURE_CLIENT_ID}"
AZURE_SUBSCRIPTION_ID="${AZURE_SUBSCRIPTION_ID}"
RESOURCE_GROUP_NAME="${AZURE_RESOURCE_GROUP}"
CLUSTER_NAME="${CLUSTER_NAME}"
LOCATION="${AZURE_REGION}"
SSH_KEY_ID="id_rsa.pub"
AZURE_IMAGE_ID="${AZURE_IMAGE_ID}"

AZURE_CLI_AUTH="true"
MANAGED_IDENTITY_NAME="${USER_ASSIGNED_IDENTITY_NAME}"

# Deploy the same one that is merged on the CAA main
KBS_IMAGE="ghcr.io/confidential-containers/staged-images/kbs"
KBS_IMAGE_TAG="dc01f454264fb4350e5f69eba05683a9a1882c41"

# Get the tag from: https://quay.io/repository/confidential-containers/cloud-api-adaptor?tab=tags&tag=latest
CAA_IMAGE="quay.io/confidential-containers/cloud-api-adaptor:d32c2e6f92dd610a688c78d92c463f39781b8416"
EOF

# Change into the CAA repo

gh pr checkout 1735
pushd src/cloud-api-adaptor/
ssh-keygen -t rsa -b 4096 -f install/overlays/azure/id_rsa -N "" -C [email protected]

git clone https://github.com/confidential-containers/trustee test/trustee

pushd test/trustee
git checkout dc01f454264fb4350e5f69eba05683a9a1882c41
popd
popd

# Now open a new terminal

export TEST_PROVISION_FILE=/tmp/provision_azure.properties
export CLOUD_PROVIDER=azure
export BUILTIN_CLOUD_PROVIDERS=azure
export DEPLOY_KBS=true
export TEST_E2E_CREATE_RG=no
export TEST_PROVISION=no

pushd src/cloud-api-adaptor
pushd test/tools

# Get changes from #1684
curl -L -o /tmp/diff https://github.com/confidential-containers/cloud-api-adaptor/commit/b672ac0c2fafff0a85d11b71ee99cedd9b91e8b7.diff
git apply /tmp/diff

make caa-provisioner-cli
./caa-provisioner-cli -action=createcluster

popd

make test-e2e

popd

The deployment never passes because CAA is in Crashloop

$ make test-e2e
go test -v -tags=azure -timeout 60m -count=1 ./test/e2e
time="2024-04-26T00:24:29Z" level=info msg="Do setup"
time="2024-04-26T00:24:29Z" level=info msg="Deploying kbs"
time="2024-04-26T00:24:29Z" level=info msg="creating key.bin"
/home/surajaz/code/work/cloud-api-adaptor/src/cloud-api-adaptor/test/e2e
time="2024-04-26T00:24:29Z" level=info msg="Creating kbs install overlay"
time="2024-04-26T00:24:29Z" level=info msg="Customize the overlay yaml file"
time="2024-04-26T00:24:29Z" level=info msg="Updating kbs image with \"ghcr.io/confidential-containers/staged-images/kbs\""
time="2024-04-26T00:24:29Z" level=info msg="Updating kbs image tag with \"dc01f454264fb4350e5f69eba05683a9a1882c41\""
time="2024-04-26T00:24:29Z" level=info msg="Creating kbs install overlay"
time="2024-04-26T00:24:29Z" level=info msg="Install Kbs"
Wait pod 'kbs-67fffcc988-mwkhp' status for Ready
pod 'kbs-67fffcc988-mwkhp' is Ready
Pod IP: 10.244.0.15
time="2024-04-26T00:24:50Z" level=info msg="KBS PARAMScc_kbc::http://10.244.0.15:8080:"
time="2024-04-26T00:24:50Z" level=info msg="Install Cloud API Adaptor"
time="2024-04-26T00:24:50Z" level=info msg="Deploy the Cloud API Adaptor"
time="2024-04-26T00:24:50Z" level=info msg="Install the controller manager"
Wait for the cc-operator-controller-manager deployment be available
time="2024-04-26T00:25:10Z" level=info msg="Customize the overlay yaml file"
time="2024-04-26T00:25:10Z" level=info msg="Updating CAA image with \"quay.io/confidential-containers/cloud-api-adaptor\""
time="2024-04-26T00:25:10Z" level=info msg="Updating CAA image tag with \"d32c2e6f92dd610a688c78d92c463f39781b8416\""
time="2024-04-26T00:25:10Z" level=info msg="Updating CAA image digest with \"\""
time="2024-04-26T00:25:12Z" level=info msg="Install the cloud-api-adaptor"
Wait for the cc-operator-daemon-install DaemonSet be available
Wait for the pod cc-operator-daemon-install-hgl82 be ready
Wait for the cloud-api-adaptor-daemonset DaemonSet be available
Wait for the pod cloud-api-adaptor-daemonset-bjfp6 be ready

huoqifeng · 2024-04-26T06:19:56Z

src/cloud-api-adaptor/test/e2e/common_suite.go

+	pod := NewBusyboxCurlPod(E2eNamespace)
+	testCommands := []TestCommand{
+		{
+			Command:       []string{"curl", "http://127.0.0.1:8006/cdh/resource/reponame/workload_key/key.bin"},


The comment is reasonable to me, we don't need introduce new function NewAlpineCurlPod and can reuse NewBusyboxPodWithName directly. And change the command to:

[]string{"wget", "http://127.0.0.1:8006/cdh/resource/reponame/workload_key/key.bin"},

src/cloud-api-adaptor/test/e2e/common.go

huoqifeng · 2024-04-28T07:35:33Z

@kartikjoshi21 @mkulke does the kbs image support sample TEE also?

# Deploy the same one that is merged on the CAA main
KBS_IMAGE="ghcr.io/confidential-containers/staged-images/kbs"
KBS_IMAGE_TAG="84432a2a97da306399db5bc863c9324dbd8b95ac"

I met problem when try this against libvirt provider and sample TEE.

kartikjoshi21 · 2024-04-28T10:36:51Z

@surajssd I have used steps we use in CI locally and iam able to test this change

export AZURE_RESOURCE_GROUP="test-kartik-pr1735-local"
export AZURE_REGION="eastus"

az group create --name "${AZURE_RESOURCE_GROUP}" \
    --location "${AZURE_REGION}"

export AZURE_SUBSCRIPTION_ID=$(az account show --query id --output tsv)
export USER_ASSIGNED_IDENTITY_NAME="caa-${AZURE_RESOURCE_GROUP}"
az identity create \
    --name "${USER_ASSIGNED_IDENTITY_NAME}" \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --location "${AZURE_REGION}" \
    --subscription "${AZURE_SUBSCRIPTION_ID}"

 export PRINCIPAL_ID="$(az identity show \
    --name "${USER_ASSIGNED_IDENTITY_NAME}" \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --subscription "${AZURE_SUBSCRIPTION_ID}" --query principalId -otsv)"
sleep 30
az role assignment create \
    --role Contributor \
    --assignee-object-id "${PRINCIPAL_ID}" \
    --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}"

 export AZURE_CLIENT_ID="$(az identity show \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv)"

export CLUSTER_NAME="e2e"
export AZURE_IMAGE_ID="/CommunityGalleries/cocopodvm-d0e4f35f-5530-4b9c-8596-112487cdea85/Images/podvm_image0/Versions/2024.04.25"

cat <<EOF >/tmp/provision_azure.properties
AZURE_CLIENT_ID="${AZURE_CLIENT_ID}"
AZURE_SUBSCRIPTION_ID="${AZURE_SUBSCRIPTION_ID}"
RESOURCE_GROUP_NAME="${AZURE_RESOURCE_GROUP}"
CLUSTER_NAME="${CLUSTER_NAME}"
LOCATION="${AZURE_REGION}"
SSH_KEY_ID="id_rsa.pub"
AZURE_IMAGE_ID="${AZURE_IMAGE_ID}"

AZURE_CLI_AUTH="true"
MANAGED_IDENTITY_NAME="${USER_ASSIGNED_IDENTITY_NAME}"

# Deploy the same one that is merged on the CAA main
KBS_IMAGE="ghcr.io/confidential-containers/staged-images/kbs"
KBS_IMAGE_TAG="dc01f454264fb4350e5f69eba05683a9a1882c41"

# Get the tag from: https://quay.io/repository/confidential-containers/cloud-api-adaptor?tab=tags&tag=latest
CAA_IMAGE="quay.io/confidential-containers/cloud-api-adaptor:d32c2e6f92dd610a688c78d92c463f39781b8416"
EOF

ssh-keygen -t rsa -b 4096 -f install/overlays/azure/id_rsa -N "" -C [email protected]


pushd test/tools/
make caa-provisioner-cli
./caa-provisioner-cli -action=createcluster
popd

export NODE_RESOURCE_GROUP="$(az aks show -g $AZURE_RESOURCE_GROUP -n "$CLUSTER_NAME" --query nodeResourceGroup -o tsv)"
export SUBNET_ID="$(az network vnet list -g "$NODE_RESOURCE_GROUP" --query '[0].subnets[0].id' -o tsv)"


git clone https://github.com/confidential-containers/trustee test/trustee
pushd test/trustee
git checkout dc01f454264fb4350e5f69eba05683a9a1882c41
popd

export TEST_PROVISION=no
export CLOUD_PROVIDER="azure"
export BUILTIN_CLOUD_PROVIDERS=azure
export TEST_E2E_CREATE_RG=no
export TEST_PROVISION_FILE=/tmp/provision_azure.properties

make test-e2e

kartikjoshi21 · 2024-04-28T10:42:35Z

@kartikjoshi21 @mkulke does the kbs image support sample TEE also?
# Deploy the same one that is merged on the CAA main
KBS_IMAGE="ghcr.io/confidential-containers/staged-images/kbs"
KBS_IMAGE_TAG="84432a2a97da306399db5bc863c9324dbd8b95ac"
I met problem when try this against libvirt provider and sample TEE.

I think this image have is

@kartikjoshi21 @mkulke does the kbs image support sample TEE also?
# Deploy the same one that is merged on the CAA main
KBS_IMAGE="ghcr.io/confidential-containers/staged-images/kbs"
KBS_IMAGE_TAG="84432a2a97da306399db5bc863c9324dbd8b95ac"
I met problem when try this against libvirt provider and sample TEE.

Can you share what problems you faced ? Also this image wont have latest nodeport change confidential-containers/trustee#371 so i think we should use dc01f454264fb4350e5f69eba05683a9a1882c41 this tag now.

huoqifeng · 2024-04-28T11:20:02Z

@kartikjoshi21 @mkulke does the kbs image support sample TEE also?
# Deploy the same one that is merged on the CAA main
KBS_IMAGE="ghcr.io/confidential-containers/staged-images/kbs"
KBS_IMAGE_TAG="84432a2a97da306399db5bc863c9324dbd8b95ac"
I met problem when try this against libvirt provider and sample TEE.
I think this image have is
@kartikjoshi21 @mkulke does the kbs image support sample TEE also?
# Deploy the same one that is merged on the CAA main
KBS_IMAGE="ghcr.io/confidential-containers/staged-images/kbs"
KBS_IMAGE_TAG="84432a2a97da306399db5bc863c9324dbd8b95ac"
I met problem when try this against libvirt provider and sample TEE.
Can you share what problems you faced ? Also this image wont have latest nodeport change confidential-containers/trustee#371 so i think we should use dc01f454264fb4350e5f69eba05683a9a1882c41 this tag now.

Thanks @kartikjoshi21 I'm tracking the logs in #1824 (comment)

Fixes: confidential-containers#1785 Signed-off-by: Kartik Joshi <[email protected]>

surajssd · 2024-04-29T17:15:56Z

I tested this PR with the following steps and it works with local testing:

# Test the PR 1735

export AZURE_RESOURCE_GROUP="suraj-test-kartik-pr1735-1"
export AZURE_REGION="eastus"
az group create --name "${AZURE_RESOURCE_GROUP}" \
    --location "${AZURE_REGION}"

export AZURE_SUBSCRIPTION_ID=$(az account show --query id --output tsv)
export USER_ASSIGNED_IDENTITY_NAME="caa-${AZURE_RESOURCE_GROUP}"
az identity create \
    --name "${USER_ASSIGNED_IDENTITY_NAME}" \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --location "${AZURE_REGION}" \
    --subscription "${AZURE_SUBSCRIPTION_ID}"

export PRINCIPAL_ID="$(az identity show \
    --name "${USER_ASSIGNED_IDENTITY_NAME}" \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --subscription "${AZURE_SUBSCRIPTION_ID}" --query principalId -otsv)"

sleep 30
az role assignment create \
    --role Contributor \
    --assignee-object-id "${PRINCIPAL_ID}" \
    --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}"

export AZURE_CLIENT_ID="$(az identity show \
    --resource-group "${AZURE_RESOURCE_GROUP}" \
    --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv)"

export CLUSTER_NAME="e2e"
export AZURE_IMAGE_ID="/CommunityGalleries/cocopodvm-d0e4f35f-5530-4b9c-8596-112487cdea85/Images/podvm_image0/Versions/2024.04.25"

# Docker image for KBS
# https://github.com/confidential-containers/kbs/pkgs/container/staged-images%2Fkbs

cat <<EOF >/tmp/provision_azure.properties
AZURE_CLIENT_ID="${AZURE_CLIENT_ID}"
AZURE_SUBSCRIPTION_ID="${AZURE_SUBSCRIPTION_ID}"
RESOURCE_GROUP_NAME="${AZURE_RESOURCE_GROUP}"
CLUSTER_NAME="${CLUSTER_NAME}"
LOCATION="${AZURE_REGION}"
SSH_KEY_ID="id_rsa.pub"
AZURE_IMAGE_ID="${AZURE_IMAGE_ID}"

AZURE_CLI_AUTH="true"
MANAGED_IDENTITY_NAME="${USER_ASSIGNED_IDENTITY_NAME}"

# Deploy the same one that is merged on the CAA main
KBS_IMAGE="ghcr.io/confidential-containers/staged-images/kbs"
KBS_IMAGE_TAG="dc01f454264fb4350e5f69eba05683a9a1882c41"

# Get the tag from: https://quay.io/repository/confidential-containers/cloud-api-adaptor?tab=tags&tag=latest
CAA_IMAGE="quay.io/confidential-containers/cloud-api-adaptor:d32c2e6f92dd610a688c78d92c463f39781b8416"
EOF

# Change into the CAA repo

gh pr checkout 1735
pushd src/cloud-api-adaptor/
ssh-keygen -t rsa -b 4096 -f install/overlays/azure/id_rsa -N "" -C [email protected]

git clone https://github.com/confidential-containers/trustee test/trustee

pushd test/trustee
git checkout dc01f454264fb4350e5f69eba05683a9a1882c41
popd
popd

# Now open a new terminal

export TEST_PROVISION_FILE=/tmp/provision_azure.properties
export CLOUD_PROVIDER=azure
export BUILTIN_CLOUD_PROVIDERS=azure
export DEPLOY_KBS=true
export TEST_E2E_CREATE_RG=no
export TEST_PROVISION=no

pushd src/cloud-api-adaptor
pushd test/tools

make caa-provisioner-cli
./caa-provisioner-cli -action=provision

popd

make test-e2e

popd

huoqifeng

LGTM, thank you! @kartikjoshi21

kartikjoshi21 force-pushed the kartikjoshi21/test-key-release-kbs branch from 01acaa7 to 4807306 Compare March 12, 2024 12:37

kartikjoshi21 force-pushed the kartikjoshi21/test-key-release-kbs branch 15 times, most recently from 687ae97 to 20289d3 Compare April 3, 2024 06:32

kartikjoshi21 force-pushed the kartikjoshi21/test-key-release-kbs branch from 20289d3 to ff9e1c9 Compare April 10, 2024 09:56

kartikjoshi21 marked this pull request as ready for review April 10, 2024 10:05

kartikjoshi21 force-pushed the kartikjoshi21/test-key-release-kbs branch 2 times, most recently from 73fa759 to e609d93 Compare April 10, 2024 10:15

kartikjoshi21 requested review from mkulke and surajssd April 10, 2024 10:15

kartikjoshi21 force-pushed the kartikjoshi21/test-key-release-kbs branch from e609d93 to 0a0296a Compare April 10, 2024 17:13

kartikjoshi21 force-pushed the kartikjoshi21/test-key-release-kbs branch from 0a0296a to 78f5e1c Compare April 16, 2024 11:12

mkulke reviewed Apr 16, 2024

View reviewed changes

kartikjoshi21 mentioned this pull request Apr 17, 2024

Use Nodeport service for kbs deployment #1809

Closed

kartikjoshi21 force-pushed the kartikjoshi21/test-key-release-kbs branch from c1567de to 86d1ecb Compare April 24, 2024 08:49

mkulke approved these changes Apr 24, 2024

View reviewed changes

huoqifeng reviewed Apr 26, 2024

View reviewed changes

huoqifeng mentioned this pull request Apr 28, 2024

libvirt: e2e test for attestation for sample tee #1824

Merged

azure: Add test for key release in kbs

cd5b4c0

Fixes: confidential-containers#1785 Signed-off-by: Kartik Joshi <[email protected]>

kartikjoshi21 force-pushed the kartikjoshi21/test-key-release-kbs branch from 86d1ecb to cd5b4c0 Compare April 29, 2024 11:29

kartikjoshi21 requested a review from huoqifeng April 29, 2024 16:17

surajssd approved these changes Apr 29, 2024

View reviewed changes

huoqifeng approved these changes Apr 30, 2024

View reviewed changes

huoqifeng merged commit 1a4c306 into confidential-containers:main Apr 30, 2024
18 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

azure-e2e-test: Add test for key release in kbs #1735

azure-e2e-test: Add test for key release in kbs #1735

kartikjoshi21 commented Mar 11, 2024

surajssd commented Apr 10, 2024

kartikjoshi21 commented Apr 12, 2024

kartikjoshi21 commented Apr 16, 2024

mkulke Apr 16, 2024

huoqifeng Apr 26, 2024

huoqifeng Apr 29, 2024

huoqifeng Apr 29, 2024 •

edited

Loading

huoqifeng commented Apr 16, 2024 •

edited

Loading

mkulke commented Apr 16, 2024

huoqifeng commented Apr 17, 2024

surajssd commented Apr 18, 2024

surajssd commented Apr 18, 2024

kartikjoshi21 commented Apr 24, 2024

kartikjoshi21 commented Apr 24, 2024

mkulke left a comment

surajssd commented Apr 26, 2024 •

edited

Loading

huoqifeng Apr 26, 2024

huoqifeng commented Apr 28, 2024

kartikjoshi21 commented Apr 28, 2024

kartikjoshi21 commented Apr 28, 2024

huoqifeng commented Apr 28, 2024

surajssd commented Apr 29, 2024

huoqifeng left a comment

azure-e2e-test: Add test for key release in kbs #1735

azure-e2e-test: Add test for key release in kbs #1735

Conversation

kartikjoshi21 commented Mar 11, 2024

surajssd commented Apr 10, 2024

kartikjoshi21 commented Apr 12, 2024

kartikjoshi21 commented Apr 16, 2024

mkulke Apr 16, 2024

Choose a reason for hiding this comment

huoqifeng Apr 26, 2024

Choose a reason for hiding this comment

huoqifeng Apr 29, 2024

Choose a reason for hiding this comment

huoqifeng Apr 29, 2024 • edited Loading

Choose a reason for hiding this comment

huoqifeng commented Apr 16, 2024 • edited Loading

mkulke commented Apr 16, 2024

huoqifeng commented Apr 17, 2024

surajssd commented Apr 18, 2024

surajssd commented Apr 18, 2024

kartikjoshi21 commented Apr 24, 2024

kartikjoshi21 commented Apr 24, 2024

mkulke left a comment

Choose a reason for hiding this comment

surajssd commented Apr 26, 2024 • edited Loading

huoqifeng Apr 26, 2024

Choose a reason for hiding this comment

huoqifeng commented Apr 28, 2024

kartikjoshi21 commented Apr 28, 2024

kartikjoshi21 commented Apr 28, 2024

huoqifeng commented Apr 28, 2024

surajssd commented Apr 29, 2024

huoqifeng left a comment

Choose a reason for hiding this comment

huoqifeng Apr 29, 2024 •

edited

Loading

huoqifeng commented Apr 16, 2024 •

edited

Loading

surajssd commented Apr 26, 2024 •

edited

Loading