cloud: Add registry auth json to userdata

This patch makes the auth json used for container registry available via
userdata. There are two parts of the change.
Part-1 is for CAA, to add the auth json to the daemon config

Part-2 is for the process-user-data command to process the auth json and
update the kata agent-config toml to refer to the auth json file
depending on the type of kbc used - offline_kbc or cc_kbc

offline_kbc and cc_kbc expects the container registry auth to be
provided in its own unique way.

Fixes: confidential-containers#1119
Signed-off-by: Pradipta Banerjee <[email protected]>

cmd/process-user-data/provision.go

@@ -162,6 +162,8 @@ func getUserDataForAzure(ctx context.Context, url string) (string, error) {
 		    "tls-server-cert": "-----BEGIN CERTIFICATE-----\n....\n-----END CERTIFICATE-----\n",
 		    "tls-client-ca": "-----BEGIN CERTIFICATE-----\n....\n-----END CERTIFICATE-----\n",
 		    "aa-kbc-params": "cc_kbc::http://192.168.100.2:8080"
+		    "auth-json": "..."
+
 		}
 	*/
 
@@ -330,5 +332,30 @@ func provisionFiles(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	// Copy the authJson to the authJsonFilePath
+	config := getConfigFromUserData(cfg.userData)
+	if config.AuthJson != "" {
+		// Create file to copy the authJson to
+		// Create the directory.
+		err := os.MkdirAll(authJsonDirPath, 0755)
+		if err != nil {
+			return fmt.Errorf("failed to create auth json directory: %s", err)
+		}
+
+		// Create the file
+		file, err := os.Create(authJsonFilePath)
+		if err != nil {
+			return fmt.Errorf("failed to create file: %s", err)
+		}
+		defer file.Close()
+
+		// Write the authJson to the file
+		_, err = file.WriteString(config.AuthJson)
+		if err != nil {
+			return fmt.Errorf("failed to write authJson to file: %s", err)
+		}
+
+	}
+
 	return nil
 }

cmd/process-user-data/types.go

@@ -10,6 +10,10 @@ const (
 	AWSUserDataImdsUrl   = "http://169.254.169.254/latest/user-data"
 
 	defaultAgentConfigPath = "/etc/agent-config.toml"
+
+	authJsonDirPath    = "/etc/attestation-agent/"
+	authJsonFilePath   = authJsonDirPath + "auth.json"
+	offlineKbcAuthFile = "/etc/aa-offline_fs_kbc-resources.json"
 )
 
 type Config struct {

cmd/process-user-data/update.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	daemon "github.com/confidential-containers/cloud-api-adaptor/pkg/forwarder"
+	"github.com/confidential-containers/cloud-api-adaptor/pkg/util/cloudinit"
 	toml "github.com/pelletier/go-toml/v2"
 	"github.com/spf13/cobra"
 )
@@ -106,6 +107,39 @@ func updateAgentConfig(cmd *cobra.Command, args []string) error {
 		agentConfig.AaKbcParams = config.AAKBCParams
 	}
 
+	if config.AuthJson != "" {
+		// Check if AaKbcParams is offline_fs_kbc
+		if strings.Contains(agentConfig.AaKbcParams, "offline_fs_kbc") {
+			// Create offline registry auth file
+			// Create the file
+			file, err := os.Create(offlineKbcAuthFile)
+			if err != nil {
+				return fmt.Errorf("failed to create file: %s", err)
+			}
+			defer file.Close()
+
+			_, err = file.WriteString(cloudinit.AuthJSONToResourcesJSON(string(config.AuthJson)))
+			if err != nil {
+				return fmt.Errorf("failed to write agent config file: %s", err)
+			}
+
+		} else if strings.Contains(agentConfig.AaKbcParams, "cc_kbc") {
+
+			fmt.Printf("Updating image_registry_auth_file in agent config file with value\n")
+			// Check if authJsonFilePath exists. If it exists update the file path in the
+			// agent config
+			if _, err := os.Stat(authJsonFilePath); err == nil {
+				// Update the file path in the agent config
+				agentConfig.ImageRegistryAuthFile = "file://" + authJsonFilePath
+			} else {
+				fmt.Printf("auth.json file doesn't exist. Not updating the image_registry_auth_file in agent config file\n")
+			}
+		} else {
+			fmt.Printf("Unknown KBC option. Not updating the agent config file\n")
+		}
+
+	}
+
 	// Write the updated agent config file
 	err = writeAgentConfig(agentConfig, cfg.agentConfigPath)
 	if err != nil {

pkg/adaptor/cloud/cloud.go

@@ -225,6 +225,13 @@ func (s *cloudService) CreateVM(ctx context.Context, req *pb.CreateVMRequest) (r
 		daemonConfig.AAKBCParams = s.aaKBCParams
 	}
 
+	// Check if auth json file is present
+	if authJSON, err := os.ReadFile(cloudinit.DefaultAuthfileSrcPath); err == nil {
+		daemonConfig.AuthJson = string(authJSON)
+	} else {
+		logger.Printf("Credentials file is not in a valid Json format, ignored")
+	}
+
 	daemonJSON, err := json.MarshalIndent(daemonConfig, "", "    ")
 	if err != nil {
 		return nil, fmt.Errorf("generating JSON data: %w", err)
@@ -246,20 +253,6 @@ func (s *cloudService) CreateVM(ctx context.Context, req *pb.CreateVMRequest) (r
 		},
 	}
 
-	if authJSON, err := os.ReadFile(cloudinit.DefaultAuthfileSrcPath); err == nil {
-		if json.Valid(authJSON) && (len(authJSON) < cloudinit.DefaultAuthfileLimit) {
-			cloudConfig.WriteFiles = append(cloudConfig.WriteFiles,
-				cloudinit.WriteFile{
-					Path:    cloudinit.DefaultAuthfileDstPath,
-					Content: cloudinit.AuthJSONToResourcesJSON(string(authJSON)),
-				})
-		} else if len(authJSON) >= cloudinit.DefaultAuthfileLimit {
-			logger.Printf("Credentials file size (%d) is too large to use as userdata, ignored", len(authJSON))
-		} else {
-			logger.Printf("Credentials file is not in a valid Json format, ignored")
-		}
-	}
-
 	sandbox := &sandbox{
 		id:           sid,
 		podName:      pod,

pkg/forwarder/forwarder.go

@@ -44,6 +44,8 @@ type Config struct {
 	TLSClientCA   string `json:"tls-client-ca,omitempty"`
 
 	AAKBCParams string `json:"aa-kbc-params,omitempty"`
+
+	AuthJson string `json:"auth-json,omitempty"`
 }
 
 type Daemon interface {

pkg/util/cloudinit/cloudconfig.go

@@ -13,9 +13,9 @@ import (
 
 const (
 	DefaultAuthfileSrcPath = "/root/containers/auth.json"
-	// image-rs fixed dst path for support at the agent, we convert it explictly to the resources file format
-	// e.g. https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/kbc/src/offline_fs_kbc/aa-offline_fs_kbc-resources.json
-	DefaultAuthfileDstPath = "/etc/aa-offline_fs_kbc-resources.json"
+
+	// Location of the container registry auth json file
+	DefaultAuthfileDstPath = "/etc/attestation-agent/auth.json"
 	DefaultAuthfileLimit   = 12288 // TODO: use a whole userdata limit mechanism instead of limiting authfile
 	DefaultAAKBCParamsPath = "/etc/attestation-agent/kbc-params.json"
 )