tests: Read and overwrite kernel_verity_parameters

Read the kernel_verity_paramers from the shim config and adjust
the root hash for the negative test.
Further, improve some of the test logic by using shared
functions. This especially ensures we don't read the full
journalctl logs on a node but only the portion of the logs we are
actually supposed to look at.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>

Author: manuelh-dev

tests/integration/kubernetes/k8s-measured-rootfs.bats

@@ -9,6 +9,11 @@ load "${BATS_TEST_DIRNAME}/../../common.bash"
 load "${BATS_TEST_DIRNAME}/lib.sh"
 load "${BATS_TEST_DIRNAME}/tests_common.sh"
 
+# Currently only the Go runtime provides the config path used here.
+# If a Rust hypervisor runs this test, mirror the enabling_hypervisor
+# pattern in tests/common.bash to select the correct runtime-rs config.
+shim_config_file="/opt/kata/share/defaults/kata-containers/configuration-${KATA_HYPERVISOR}.toml"
+
 check_and_skip() {
 	case "${KATA_HYPERVISOR}" in
 		qemu-tdx|qemu-coco-dev)
@@ -29,26 +34,29 @@ setup() {
 	setup_common || die "setup_common failed"
 }
 
-@test "Test cannnot launch pod with measured boot enabled and incorrect hash" {
+@test "Test cannot launch pod with measured boot enabled and incorrect hash" {
 	pod_config="$(new_pod_config nginx "kata-${KATA_HYPERVISOR}")"
 	auto_generate_policy "${pod_config_dir}" "${pod_config}"
 
 	incorrect_hash="1111111111111111111111111111111111111111111111111111111111111111"
 
-	# To avoid editing that file on the worker node, here it will be
-	# enabled via pod annotations.
+	# Read verity parameters from config, then override via annotations.
+	kernel_verity_params=$(exec_host "$node" "sed -n 's/^kernel_verity_params = \"\\(.*\\)\"/\\1/p' ${shim_config_file}" || true)
+	[ -n "${kernel_verity_params}" ] || die "Missing kernel_verity_params in ${shim_config_file}"
+
+	kernel_verity_params=$(printf '%s\n' "$kernel_verity_params" | sed -E "s/root_hash=[^,]*/root_hash=${incorrect_hash}/")
 	set_metadata_annotation "$pod_config" \
-		"io.katacontainers.config.hypervisor.kernel_params" \
-		"rootfs_verity.scheme=dm-verity rootfs_verity.hash=$incorrect_hash"
+		"io.katacontainers.config.hypervisor.kernel_verity_params" \
+		"${kernel_verity_params}"
 	# Run on a specific node so we know from where to inspect the logs
 	set_node "$pod_config" "$node"
 
 	# For debug sake
 	echo "Pod $pod_config file:"
 	cat $pod_config
-	kubectl apply -f $pod_config
 
-	waitForProcess "60" "3" "exec_host $node journalctl -t kata | grep \"verity: .* metadata block .* is corrupted\""
+	assert_pod_container_creating "$pod_config"
+	assert_logs_contain "$node" kata "${node_start_time}" "verity: .* metadata block .* is corrupted"
 }
 
 teardown() {

tests/integration/kubernetes/lib.sh

@@ -179,7 +179,7 @@ assert_pod_fail() {
 	local container_config="$1"
 	local duration="${2:-120}"
 
-	echo "In assert_pod_fail: $container_config"
+	echo "In assert_pod_fail: ${container_config}"
 	echo "Attempt to create the container but it should fail"
 
 	retry_kubectl_apply "${container_config}"
@@ -192,13 +192,13 @@ assert_pod_fail() {
 	local sleep_time=5
 	while true; do
 		echo "Waiting for a container to fail"
-		sleep ${sleep_time}
+		sleep "${sleep_time}"
 		elapsed_time=$((elapsed_time+sleep_time))
 		if [[ $(kubectl get pod "${pod_name}" \
 			-o jsonpath='{.status.containerStatuses[0].state.waiting.reason}') = *BackOff* ]]; then
 			return 0
 		fi
-		if [ $elapsed_time -gt $duration ]; then
+		if [[ "${elapsed_time}" -gt "${duration}" ]]; then
 			echo "The container does not get into a failing state" >&2
 			break
 		fi
@@ -207,6 +207,46 @@ assert_pod_fail() {
 
 }
 
+# Create a pod then assert it remains in ContainerCreating.
+#
+# Parameters:
+#	$1 - the pod configuration file.
+# 	$2 - the duration to wait (seconds). Defaults to 60. (optional)
+#
+assert_pod_container_creating() {
+	local container_config="$1"
+	local duration="${2:-60}"
+
+	echo "In assert_pod_container_creating: ${container_config}"
+	echo "Attempt to create the container but it should stay in creating state"
+
+	retry_kubectl_apply "${container_config}"
+	if ! pod_name=$(kubectl get pods -o jsonpath='{.items..metadata.name}'); then
+		echo "Failed to create the pod"
+		return 1
+	fi
+
+	local elapsed_time=0
+	local sleep_time=5
+	while true; do
+		sleep "${sleep_time}"
+		elapsed_time=$((elapsed_time+sleep_time))
+		reason=$(kubectl get pod "${pod_name}" -o jsonpath='{.status.containerStatuses[0].state.waiting.reason}' 2>/dev/null || true)
+		phase=$(kubectl get pod "${pod_name}" -o jsonpath='{.status.phase}' 2>/dev/null || true)
+		if [[ "${phase}" != "Pending" ]]; then
+			echo "Expected pod to remain Pending, got phase: ${phase}" >&2
+			return 1
+		fi
+		if [[ -n "${reason}" && "${reason}" != "ContainerCreating" ]]; then
+			echo "Expected ContainerCreating, got: ${reason}" >&2
+			return 1
+		fi
+		if [[ "${elapsed_time}" -ge "${duration}" ]]; then
+			return 0
+		fi
+	done
+}
+
 # Check the pulled rootfs on host for given node and sandbox_id
 #
 # Parameters:
@@ -381,4 +421,3 @@ get_node_kata_sandbox_id() {
 	done
 	echo $kata_sandbox_id
 }
-