Skip to content

Commit

Permalink
cloud: Add registry auth json to userdata
Browse files Browse the repository at this point in the history
This patch makes the auth json used for container registry available via
userdata. There are two parts of the change.
Part-1 is for CAA, to add the auth json to the daemon config

Part-2 is for the process-user-data command to process the auth json and
update the kata agent-config toml to refer to the auth json file
depending on the type of kbc used - offline_kbc or cc_kbc

offline_kbc and cc_kbc expects the container registry auth to be
provided in its own unique way.

Fixes: confidential-containers#1119
Signed-off-by: Pradipta Banerjee <[email protected]>
  • Loading branch information
bpradipt committed Sep 20, 2023
1 parent 5c99d9c commit 99913b2
Show file tree
Hide file tree
Showing 6 changed files with 77 additions and 17 deletions.
27 changes: 27 additions & 0 deletions cmd/process-user-data/provision.go
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,8 @@ func getUserDataForAzure(ctx context.Context, url string) (string, error) {
"tls-server-cert": "-----BEGIN CERTIFICATE-----\n....\n-----END CERTIFICATE-----\n",
"tls-client-ca": "-----BEGIN CERTIFICATE-----\n....\n-----END CERTIFICATE-----\n",
"aa-kbc-params": "cc_kbc::http://192.168.100.2:8080"
"auth-json": "..."
}
*/

Expand Down Expand Up @@ -339,5 +341,30 @@ func provisionFiles(cmd *cobra.Command, args []string) error {
return err
}

// Copy the authJson to the authJsonFilePath
config := getConfigFromUserData(cfg.userData)
if config.AuthJson != "" {
// Create file to copy the authJson to
// Create the directory.
err := os.MkdirAll(authJsonDirPath, 0755)
if err != nil {
return fmt.Errorf("failed to create auth json directory: %s", err)
}

// Create the file
file, err := os.Create(authJsonFilePath)
if err != nil {
return fmt.Errorf("failed to create file: %s", err)
}
defer file.Close()

// Write the authJson to the file
_, err = file.WriteString(config.AuthJson)
if err != nil {
return fmt.Errorf("failed to write authJson to file: %s", err)
}

}

return nil
}
4 changes: 4 additions & 0 deletions cmd/process-user-data/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ const (
AWSUserDataImdsUrl = "http://169.254.169.254/latest/user-data"

defaultAgentConfigPath = "/etc/agent-config.toml"

authJsonDirPath = "/etc/attestation-agent/"
authJsonFilePath = authJsonDirPath + "auth.json"
offlineKbcAuthFile = "/etc/aa-offline_fs_kbc-resources.json"
)

type Config struct {
Expand Down
34 changes: 34 additions & 0 deletions cmd/process-user-data/update.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"strings"

daemon "github.com/confidential-containers/cloud-api-adaptor/pkg/forwarder"
"github.com/confidential-containers/cloud-api-adaptor/pkg/util/cloudinit"
toml "github.com/pelletier/go-toml/v2"
"github.com/spf13/cobra"
)
Expand Down Expand Up @@ -106,6 +107,39 @@ func updateAgentConfig(cmd *cobra.Command, args []string) error {
agentConfig.AaKbcParams = config.AAKBCParams
}

if config.AuthJson != "" {
// Check if AaKbcParams is offline_fs_kbc
if strings.Contains(agentConfig.AaKbcParams, "offline_fs_kbc") {
// Create offline registry auth file
// Create the file
file, err := os.Create(offlineKbcAuthFile)
if err != nil {
return fmt.Errorf("failed to create file: %s", err)
}
defer file.Close()

_, err = file.WriteString(cloudinit.AuthJSONToResourcesJSON(string(config.AuthJson)))
if err != nil {
return fmt.Errorf("failed to write agent config file: %s", err)
}

} else if strings.Contains(agentConfig.AaKbcParams, "cc_kbc") {

fmt.Printf("Updating image_registry_auth_file in agent config file with value\n")
// Check if authJsonFilePath exists. If it exists update the file path in the
// agent config
if _, err := os.Stat(authJsonFilePath); err == nil {
// Update the file path in the agent config
agentConfig.ImageRegistryAuthFile = "file://" + authJsonFilePath
} else {
fmt.Printf("auth.json file doesn't exist. Not updating the image_registry_auth_file in agent config file\n")
}
} else {
fmt.Printf("Unknown KBC option. Not updating the agent config file\n")
}

}

// Write the updated agent config file
err = writeAgentConfig(*agentConfig, cfg.agentConfigPath)
if err != nil {
Expand Down
21 changes: 7 additions & 14 deletions pkg/adaptor/cloud/cloud.go
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,13 @@ func (s *cloudService) CreateVM(ctx context.Context, req *pb.CreateVMRequest) (r
daemonConfig.AAKBCParams = s.aaKBCParams
}

// Check if auth json file is present
if authJSON, err := os.ReadFile(cloudinit.DefaultAuthfileSrcPath); err == nil {
daemonConfig.AuthJson = string(authJSON)
} else {
logger.Printf("Credentials file is not in a valid Json format, ignored")
}

daemonJSON, err := json.MarshalIndent(daemonConfig, "", " ")
if err != nil {
return nil, fmt.Errorf("generating JSON data: %w", err)
Expand All @@ -246,20 +253,6 @@ func (s *cloudService) CreateVM(ctx context.Context, req *pb.CreateVMRequest) (r
},
}

if authJSON, err := os.ReadFile(cloudinit.DefaultAuthfileSrcPath); err == nil {
if json.Valid(authJSON) && (len(authJSON) < cloudinit.DefaultAuthfileLimit) {
cloudConfig.WriteFiles = append(cloudConfig.WriteFiles,
cloudinit.WriteFile{
Path: cloudinit.DefaultAuthfileDstPath,
Content: cloudinit.AuthJSONToResourcesJSON(string(authJSON)),
})
} else if len(authJSON) >= cloudinit.DefaultAuthfileLimit {
logger.Printf("Credentials file size (%d) is too large to use as userdata, ignored", len(authJSON))
} else {
logger.Printf("Credentials file is not in a valid Json format, ignored")
}
}

sandbox := &sandbox{
id: sid,
podName: pod,
Expand Down
2 changes: 2 additions & 0 deletions pkg/forwarder/forwarder.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ type Config struct {
TLSClientCA string `json:"tls-client-ca,omitempty"`

AAKBCParams string `json:"aa-kbc-params,omitempty"`

AuthJson string `json:"auth-json,omitempty"`
}

type Daemon interface {
Expand Down
6 changes: 3 additions & 3 deletions pkg/util/cloudinit/cloudconfig.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ import (

const (
DefaultAuthfileSrcPath = "/root/containers/auth.json"
// image-rs fixed dst path for support at the agent, we convert it explictly to the resources file format
// e.g. https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/kbc/src/offline_fs_kbc/aa-offline_fs_kbc-resources.json
DefaultAuthfileDstPath = "/etc/aa-offline_fs_kbc-resources.json"

// Location of the container registry auth json file
DefaultAuthfileDstPath = "/etc/attestation-agent/auth.json"
DefaultAuthfileLimit = 12288 // TODO: use a whole userdata limit mechanism instead of limiting authfile
DefaultAAKBCParamsPath = "/etc/attestation-agent/kbc-params.json"
)
Expand Down

0 comments on commit 99913b2

Please sign in to comment.