From a13c48be4461985f137133f843d80efbbba86fa1 Mon Sep 17 00:00:00 2001
From: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Date: Mon, 2 Dec 2024 12:16:01 +0100
Subject: [PATCH] packages/test-peerpods: test IMDS functionality

This adds a verification of IMDS functionality to the peer-pods smoke test.
---
 infra/azure-peerpods/.terraform.lock.hcl | 19 +++++++++++++++++
 packages/test-peerpods.sh                | 27 +++++++++++++++++-------
 2 files changed, 38 insertions(+), 8 deletions(-)

diff --git a/infra/azure-peerpods/.terraform.lock.hcl b/infra/azure-peerpods/.terraform.lock.hcl
index 8f921c316..c2fa24e3a 100644
--- a/infra/azure-peerpods/.terraform.lock.hcl
+++ b/infra/azure-peerpods/.terraform.lock.hcl
@@ -1,6 +1,25 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 
+provider "registry.terraform.io/hashicorp/azuread" {
+  version = "3.0.2"
+  hashes = [
+    "h1:sYCyzbPpSYu2XDah8XqBUITQAfB0x4j4Twh6lw2C4CA=",
+    "zh:16e724b80a9004c7978c30f69a73c98ff63eb8a03937dd44c2a8f0ea0438b7a3",
+    "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7",
+    "zh:2bbbf13713ca4767267b889471c9fc14a56a8fdf5d1013da3ca78667e3caec64",
+    "zh:409ccb05431d643a079da082d89db2d95d6afed4769997ac537c8b7de3bff867",
+    "zh:53e4bca0f5d015380f7f524f36344afe6211ccaf614bfc69af73ca64a9f47d6c",
+    "zh:5780be2c1981d090604d7fa4cef675462f17f40e7f3dc501a031488e87a35b8f",
+    "zh:850e61a1b3e64c752c418526ccf48653514c861b36f5feb631619f906f7e99a0",
+    "zh:8c3565bfcea006a734149cc080452a9daf7d2a9d5362eb7e0a088b6c0d7f0f03",
+    "zh:908b9e6ad49d5d21173ecefc7924902047611be93bbf8e7d021aa9563358396f",
+    "zh:a2a79765c029bc58966eff61cb6e9b0ee14d2ac52b0a22fc7dfa35c9a49af669",
+    "zh:c7f56cbe8743e9ba81fce871bc97d9c07abe86770d9ee7ffefbf3882a61ba89a",
+    "zh:d4dba80e33421b30d81c62611fb7fc62ad39afecc6484436e635913cd8553e67",
+  ]
+}
+
 provider "registry.terraform.io/hashicorp/azurerm" {
   version     = "4.10.0"
   constraints = "4.10.0"
diff --git a/packages/test-peerpods.sh b/packages/test-peerpods.sh
index c2e3dc15b..d28f6f8f8 100644
--- a/packages/test-peerpods.sh
+++ b/packages/test-peerpods.sh
@@ -39,9 +39,17 @@ if [[ $found != true ]]; then
   exit 1
 fi
 
+run_tests() {
+  pod="$(kubectl get pod -l app=alpine -o jsonpath='{.items[0].metadata.name}')"
+
+  # Check IMDS functionality.
+  # -f makes this fail on a 500 status code.
+  kubectl exec "$pod" -- curl -f -i -H "Metadata: true" http://169.254.169.254/metadata/THIM/amd/certification
+}
+
 cleanup() {
-  kubectl delete deploy nginx
-  kubectl wait --for=delete pod --selector=app=nginx --timeout=5m
+  kubectl delete deploy alpine
+  kubectl wait --for=delete pod --selector=app=alpine --timeout=5m
 }
 
 trap cleanup EXIT
@@ -52,26 +60,29 @@ kubectl apply -f - <<EOF
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: nginx
+  name: alpine
 spec:
   selector:
     matchLabels:
-      app: nginx
+      app: alpine
   replicas: 1
   template:
     metadata:
       labels:
-        app: nginx
+        app: alpine
     spec:
       runtimeClassName: kata-remote
       containers:
-      - name: nginx
-        image: nginx
+      - name: alpine
+        image: alpine/curl
         imagePullPolicy: Always
+        command: ["sleep", "3600"]
 EOF
 
-if ! kubectl wait --for=condition=available --timeout=5m deployment/nginx; then
+if ! kubectl wait --for=condition=available --timeout=5m deployment/alpine; then
   kubectl describe pods
   kubectl logs -n confidential-containers-system -l app=cloud-api-adaptor --tail=-1 --all-containers
   exit 1
 fi
+
+run_tests