diff --git a/cmd/process-user-data/provision.go b/cmd/process-user-data/provision.go index 4dc695a338..25cbc71db5 100644 --- a/cmd/process-user-data/provision.go +++ b/cmd/process-user-data/provision.go @@ -162,6 +162,8 @@ func getUserDataForAzure(ctx context.Context, url string) (string, error) { "tls-server-cert": "-----BEGIN CERTIFICATE-----\n....\n-----END CERTIFICATE-----\n", "tls-client-ca": "-----BEGIN CERTIFICATE-----\n....\n-----END CERTIFICATE-----\n", "aa-kbc-params": "cc_kbc::http://192.168.100.2:8080" + "auth-json": "..." + } */ @@ -330,5 +332,30 @@ func provisionFiles(cmd *cobra.Command, args []string) error { return err } + // Copy the authJson to the authJsonFilePath + config := getConfigFromUserData(cfg.userData) + if config.AuthJson != "" { + // Create file to copy the authJson to + // Create the directory. + err := os.MkdirAll(authJsonDirPath, 0755) + if err != nil { + return fmt.Errorf("failed to create auth json directory: %s", err) + } + + // Create the file + file, err := os.Create(authJsonFilePath) + if err != nil { + return fmt.Errorf("failed to create file: %s", err) + } + defer file.Close() + + // Write the authJson to the file + _, err = file.WriteString(config.AuthJson) + if err != nil { + return fmt.Errorf("failed to write authJson to file: %s", err) + } + + } + return nil } diff --git a/cmd/process-user-data/types.go b/cmd/process-user-data/types.go index f7759f1e0b..ef98677bc6 100644 --- a/cmd/process-user-data/types.go +++ b/cmd/process-user-data/types.go @@ -10,6 +10,9 @@ const ( AWSUserDataImdsUrl = "http://169.254.169.254/latest/user-data" defaultAgentConfigPath = "/etc/agent-config.toml" + + authJsonDirPath = "/etc/attestation-agent/" + authJsonFilePath = authJsonDirPath + "auth.json" ) type Config struct { diff --git a/cmd/process-user-data/update.go b/cmd/process-user-data/update.go index b7d36a1810..c5f435e44c 100644 --- a/cmd/process-user-data/update.go +++ b/cmd/process-user-data/update.go @@ -106,6 +106,18 @@ func updateAgentConfig(cmd *cobra.Command, args []string) error { agentConfig.AaKbcParams = config.AAKBCParams } + if config.AuthJson != "" { + fmt.Printf("Updating image_registry_auth_file in agent config file with value\n") + // Check if authJsonFilePath exists. If it exists update the file path in the + // agent config + if _, err := os.Stat(authJsonFilePath); err == nil { + // Update the file path in the agent config + agentConfig.ImageRegistryAuthFile = "file://" + authJsonFilePath + } else { + fmt.Printf("auth.json file doesn't exist. Not updating the image_registry_auth_file in agent config file\n") + } + } + // Write the updated agent config file err = writeAgentConfig(agentConfig, cfg.agentConfigPath) if err != nil { diff --git a/pkg/adaptor/cloud/cloud.go b/pkg/adaptor/cloud/cloud.go index 535dbd061f..8917f07be0 100644 --- a/pkg/adaptor/cloud/cloud.go +++ b/pkg/adaptor/cloud/cloud.go @@ -225,6 +225,13 @@ func (s *cloudService) CreateVM(ctx context.Context, req *pb.CreateVMRequest) (r daemonConfig.AAKBCParams = s.aaKBCParams } + // Check if auth json file is present + if authJSON, err := os.ReadFile(cloudinit.DefaultAuthfileSrcPath); err == nil { + daemonConfig.AuthJson = string(authJSON) + } else { + logger.Printf("Credentials file is not in a valid Json format, ignored") + } + daemonJSON, err := json.MarshalIndent(daemonConfig, "", " ") if err != nil { return nil, fmt.Errorf("generating JSON data: %w", err) @@ -246,20 +253,6 @@ func (s *cloudService) CreateVM(ctx context.Context, req *pb.CreateVMRequest) (r }, } - if authJSON, err := os.ReadFile(cloudinit.DefaultAuthfileSrcPath); err == nil { - if json.Valid(authJSON) && (len(authJSON) < cloudinit.DefaultAuthfileLimit) { - cloudConfig.WriteFiles = append(cloudConfig.WriteFiles, - cloudinit.WriteFile{ - Path: cloudinit.DefaultAuthfileDstPath, - Content: cloudinit.AuthJSONToResourcesJSON(string(authJSON)), - }) - } else if len(authJSON) >= cloudinit.DefaultAuthfileLimit { - logger.Printf("Credentials file size (%d) is too large to use as userdata, ignored", len(authJSON)) - } else { - logger.Printf("Credentials file is not in a valid Json format, ignored") - } - } - sandbox := &sandbox{ id: sid, podName: pod, diff --git a/pkg/forwarder/forwarder.go b/pkg/forwarder/forwarder.go index e1725917d2..9d04d2ff04 100644 --- a/pkg/forwarder/forwarder.go +++ b/pkg/forwarder/forwarder.go @@ -44,6 +44,8 @@ type Config struct { TLSClientCA string `json:"tls-client-ca,omitempty"` AAKBCParams string `json:"aa-kbc-params,omitempty"` + + AuthJson string `json:"auth-json,omitempty"` } type Daemon interface { diff --git a/pkg/util/cloudinit/cloudconfig.go b/pkg/util/cloudinit/cloudconfig.go index a573212cc1..b8d1a6cd80 100644 --- a/pkg/util/cloudinit/cloudconfig.go +++ b/pkg/util/cloudinit/cloudconfig.go @@ -13,9 +13,9 @@ import ( const ( DefaultAuthfileSrcPath = "/root/containers/auth.json" - // image-rs fixed dst path for support at the agent, we convert it explictly to the resources file format - // e.g. https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/kbc/src/offline_fs_kbc/aa-offline_fs_kbc-resources.json - DefaultAuthfileDstPath = "/etc/aa-offline_fs_kbc-resources.json" + + // Location of the container registry auth json file + DefaultAuthfileDstPath = "/etc/attestation-agent/auth.json" DefaultAuthfileLimit = 12288 // TODO: use a whole userdata limit mechanism instead of limiting authfile DefaultAAKBCParamsPath = "/etc/attestation-agent/kbc-params.json" )