cloud: Add registry auth json to userdata

This patch makes the auth json used for container registry available via userdata. There are two parts of the change. Part-1 is for CAA, to add the auth json to the daemon config Part-2 is for the process-user-data command to process the auth json and update the kata agent-config toml to refer to the auth json file Fixes: confidential-containers#1119 Signed-off-by: Pradipta Banerjee <[email protected]>
bpradipt · Sep 16, 2023 · c41b472 · c41b472
1 parent 15d79b1
commit c41b472
Show file tree

Hide file tree

Showing 6 changed files with 54 additions and 17 deletions.
diff --git a/cmd/process-user-data/provision.go b/cmd/process-user-data/provision.go
@@ -162,6 +162,8 @@ func getUserDataForAzure(ctx context.Context, url string) (string, error) {
 		    "tls-server-cert": "-----BEGIN CERTIFICATE-----\n....\n-----END CERTIFICATE-----\n",
 		    "tls-client-ca": "-----BEGIN CERTIFICATE-----\n....\n-----END CERTIFICATE-----\n",
 		    "aa-kbc-params": "cc_kbc::http://192.168.100.2:8080"
+		    "auth-json": "..."
+
 		}
 	*/
 
@@ -330,5 +332,30 @@ func provisionFiles(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	// Copy the authJson to the authJsonFilePath
+	config := getConfigFromUserData(cfg.userData)
+	if config.AuthJson != "" {
+		// Create file to copy the authJson to
+		// Create the directory.
+		err := os.MkdirAll(authJsonDirPath, 0755)
+		if err != nil {
+			return fmt.Errorf("failed to create auth json directory: %s", err)
+		}
+
+		// Create the file
+		file, err := os.Create(authJsonFilePath)
+		if err != nil {
+			return fmt.Errorf("failed to create file: %s", err)
+		}
+		defer file.Close()
+
+		// Write the authJson to the file
+		_, err = file.WriteString(config.AuthJson)
+		if err != nil {
+			return fmt.Errorf("failed to write authJson to file: %s", err)
+		}
+
+	}
+
 	return nil
 }
diff --git a/cmd/process-user-data/types.go b/cmd/process-user-data/types.go
@@ -10,6 +10,9 @@ const (
 	AWSUserDataImdsUrl   = "http://169.254.169.254/latest/user-data"
 
 	defaultAgentConfigPath = "/etc/agent-config.toml"
+
+	authJsonDirPath  = "/etc/attestation-agent/"
+	authJsonFilePath = authJsonDirPath + "auth.json"
 )
 
 type Config struct {

diff --git a/cmd/process-user-data/update.go b/cmd/process-user-data/update.go
@@ -106,6 +106,18 @@ func updateAgentConfig(cmd *cobra.Command, args []string) error {
 		agentConfig.AaKbcParams = config.AAKBCParams
 	}
 
+	if config.AuthJson != "" {
+		fmt.Printf("Updating image_registry_auth_file in agent config file with value\n")
+		// Check if authJsonFilePath exists. If it exists update the file path in the
+		// agent config
+		if _, err := os.Stat(authJsonFilePath); err == nil {
+			// Update the file path in the agent config
+			agentConfig.ImageRegistryAuthFile = "file://" + authJsonFilePath
+		} else {
+			fmt.Printf("auth.json file doesn't exist. Not updating the image_registry_auth_file in agent config file\n")
+		}
+	}
+
 	// Write the updated agent config file
 	err = writeAgentConfig(agentConfig, cfg.agentConfigPath)
 	if err != nil {

diff --git a/pkg/adaptor/cloud/cloud.go b/pkg/adaptor/cloud/cloud.go
@@ -225,6 +225,13 @@ func (s *cloudService) CreateVM(ctx context.Context, req *pb.CreateVMRequest) (r
 		daemonConfig.AAKBCParams = s.aaKBCParams
 	}
 
+	// Check if auth json file is present
+	if authJSON, err := os.ReadFile(cloudinit.DefaultAuthfileSrcPath); err == nil {
+		daemonConfig.AuthJson = string(authJSON)
+	} else {
+		logger.Printf("Credentials file is not in a valid Json format, ignored")
+	}
+
 	daemonJSON, err := json.MarshalIndent(daemonConfig, "", "    ")
 	if err != nil {
 		return nil, fmt.Errorf("generating JSON data: %w", err)
@@ -246,20 +253,6 @@ func (s *cloudService) CreateVM(ctx context.Context, req *pb.CreateVMRequest) (r
 		},
 	}
 
-	if authJSON, err := os.ReadFile(cloudinit.DefaultAuthfileSrcPath); err == nil {
-		if json.Valid(authJSON) && (len(authJSON) < cloudinit.DefaultAuthfileLimit) {
-			cloudConfig.WriteFiles = append(cloudConfig.WriteFiles,
-				cloudinit.WriteFile{
-					Path:    cloudinit.DefaultAuthfileDstPath,
-					Content: cloudinit.AuthJSONToResourcesJSON(string(authJSON)),
-				})
-		} else if len(authJSON) >= cloudinit.DefaultAuthfileLimit {
-			logger.Printf("Credentials file size (%d) is too large to use as userdata, ignored", len(authJSON))
-		} else {
-			logger.Printf("Credentials file is not in a valid Json format, ignored")
-		}
-	}
-
 	sandbox := &sandbox{
 		id:           sid,
 		podName:      pod,

diff --git a/pkg/forwarder/forwarder.go b/pkg/forwarder/forwarder.go
@@ -44,6 +44,8 @@ type Config struct {
 	TLSClientCA   string `json:"tls-client-ca,omitempty"`
 
 	AAKBCParams string `json:"aa-kbc-params,omitempty"`
+
+	AuthJson string `json:"auth-json,omitempty"`
 }
 
 type Daemon interface {

diff --git a/pkg/util/cloudinit/cloudconfig.go b/pkg/util/cloudinit/cloudconfig.go
@@ -13,9 +13,9 @@ import (
 
 const (
 	DefaultAuthfileSrcPath = "/root/containers/auth.json"
-	// image-rs fixed dst path for support at the agent, we convert it explictly to the resources file format
-	// e.g. https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/kbc/src/offline_fs_kbc/aa-offline_fs_kbc-resources.json
-	DefaultAuthfileDstPath = "/etc/aa-offline_fs_kbc-resources.json"
+
+	// Location of the container registry auth json file
+	DefaultAuthfileDstPath = "/etc/attestation-agent/auth.json"
 	DefaultAuthfileLimit   = 12288 // TODO: use a whole userdata limit mechanism instead of limiting authfile
 	DefaultAAKBCParamsPath = "/etc/attestation-agent/kbc-params.json"
 )