Skip to content

Commit

Permalink
cloud: Add registry auth json to userdata
Browse files Browse the repository at this point in the history
This patch makes the auth json used for container registry available via
userdata. There are two parts of the change.
Part-1 is for CAA, to add the auth json to the daemon config

Part-2 is for the process-user-data command to process the auth json and
update the kata agent-config toml to refer to the auth json file

Fixes: confidential-containers#1119
Signed-off-by: Pradipta Banerjee <[email protected]>
  • Loading branch information
bpradipt committed Sep 20, 2023
1 parent 5c99d9c commit e6a613a
Show file tree
Hide file tree
Showing 6 changed files with 54 additions and 18 deletions.
20 changes: 20 additions & 0 deletions cmd/process-user-data/provision.go
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,8 @@ func getUserDataForAzure(ctx context.Context, url string) (string, error) {
"tls-server-cert": "-----BEGIN CERTIFICATE-----\n....\n-----END CERTIFICATE-----\n",
"tls-client-ca": "-----BEGIN CERTIFICATE-----\n....\n-----END CERTIFICATE-----\n",
"aa-kbc-params": "cc_kbc::http://192.168.100.2:8080"
"auth-json": "..."
}
*/

Expand Down Expand Up @@ -339,5 +341,23 @@ func provisionFiles(cmd *cobra.Command, args []string) error {
return err
}

// Copy the authJson to the authJsonFilePath
config := getConfigFromUserData(cfg.userData)
if config.AuthJson != "" {
// Create the file
file, err := os.Create(defaultAuthJsonFilePath)
if err != nil {
return fmt.Errorf("failed to create file: %s", err)
}
defer file.Close()

// Write the authJson to the file
_, err = file.WriteString(config.AuthJson)
if err != nil {
return fmt.Errorf("failed to write authJson to file: %s", err)
}

}

return nil
}
4 changes: 3 additions & 1 deletion cmd/process-user-data/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,9 @@ const (
AWSImdsUrl = "http://169.254.169.254/latest/meta-data/"
AWSUserDataImdsUrl = "http://169.254.169.254/latest/user-data"

defaultAgentConfigPath = "/etc/agent-config.toml"
defaultAgentConfigPath = "/etc/agent-config.toml"
defaultAuthJsonFilePath = "/etc/auth.json"
offlineKbcAuthFile = "/etc/aa-offline_fs_kbc-resources.json"
)

type Config struct {
Expand Down
19 changes: 19 additions & 0 deletions cmd/process-user-data/update.go
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,25 @@ func updateAgentConfig(cmd *cobra.Command, args []string) error {
agentConfig.AaKbcParams = config.AAKBCParams
}

if config.AuthJson != "" {

fmt.Printf("Updating image_registry_auth_file in agent config file with value\n")

// Check if authJsonFilePath exists. If it doesn't exists create the file

if _, err := os.Stat(defaultAuthJsonFilePath); err != nil && os.IsNotExist(err) {
// Write the authJson to the defaultAuthJsonFilePath
err = os.WriteFile(defaultAuthJsonFilePath, []byte(config.AuthJson), 0644)
if err != nil {
return fmt.Errorf("failed to write auth.json file: %s", err)
}
}

// Update the file path in the agent config
agentConfig.ImageRegistryAuthFile = "file://" + defaultAuthJsonFilePath

}

// Write the updated agent config file
err = writeAgentConfig(*agentConfig, cfg.agentConfigPath)
if err != nil {
Expand Down
21 changes: 7 additions & 14 deletions pkg/adaptor/cloud/cloud.go
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,13 @@ func (s *cloudService) CreateVM(ctx context.Context, req *pb.CreateVMRequest) (r
daemonConfig.AAKBCParams = s.aaKBCParams
}

// Check if auth json file is present
if authJSON, err := os.ReadFile(cloudinit.DefaultAuthfileSrcPath); err == nil {
daemonConfig.AuthJson = string(authJSON)
} else {
logger.Printf("Credentials file is not in a valid Json format, ignored")
}

daemonJSON, err := json.MarshalIndent(daemonConfig, "", " ")
if err != nil {
return nil, fmt.Errorf("generating JSON data: %w", err)
Expand All @@ -246,20 +253,6 @@ func (s *cloudService) CreateVM(ctx context.Context, req *pb.CreateVMRequest) (r
},
}

if authJSON, err := os.ReadFile(cloudinit.DefaultAuthfileSrcPath); err == nil {
if json.Valid(authJSON) && (len(authJSON) < cloudinit.DefaultAuthfileLimit) {
cloudConfig.WriteFiles = append(cloudConfig.WriteFiles,
cloudinit.WriteFile{
Path: cloudinit.DefaultAuthfileDstPath,
Content: cloudinit.AuthJSONToResourcesJSON(string(authJSON)),
})
} else if len(authJSON) >= cloudinit.DefaultAuthfileLimit {
logger.Printf("Credentials file size (%d) is too large to use as userdata, ignored", len(authJSON))
} else {
logger.Printf("Credentials file is not in a valid Json format, ignored")
}
}

sandbox := &sandbox{
id: sid,
podName: pod,
Expand Down
2 changes: 2 additions & 0 deletions pkg/forwarder/forwarder.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ type Config struct {
TLSClientCA string `json:"tls-client-ca,omitempty"`

AAKBCParams string `json:"aa-kbc-params,omitempty"`

AuthJson string `json:"auth-json,omitempty"`
}

type Daemon interface {
Expand Down
6 changes: 3 additions & 3 deletions pkg/util/cloudinit/cloudconfig.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ import (

const (
DefaultAuthfileSrcPath = "/root/containers/auth.json"
// image-rs fixed dst path for support at the agent, we convert it explictly to the resources file format
// e.g. https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/kbc/src/offline_fs_kbc/aa-offline_fs_kbc-resources.json
DefaultAuthfileDstPath = "/etc/aa-offline_fs_kbc-resources.json"

// Location of the container registry auth json file
DefaultAuthfileDstPath = "/etc/attestation-agent/auth.json"
DefaultAuthfileLimit = 12288 // TODO: use a whole userdata limit mechanism instead of limiting authfile
DefaultAAKBCParamsPath = "/etc/attestation-agent/kbc-params.json"
)
Expand Down

0 comments on commit e6a613a

Please sign in to comment.