diff --git a/cmd/process-user-data/provision.go b/cmd/process-user-data/provision.go index 8777d93c8d..031426b780 100644 --- a/cmd/process-user-data/provision.go +++ b/cmd/process-user-data/provision.go @@ -162,6 +162,8 @@ func getUserDataForAzure(ctx context.Context, url string) (string, error) { "tls-server-cert": "-----BEGIN CERTIFICATE-----\n....\n-----END CERTIFICATE-----\n", "tls-client-ca": "-----BEGIN CERTIFICATE-----\n....\n-----END CERTIFICATE-----\n", "aa-kbc-params": "cc_kbc::http://192.168.100.2:8080" + "auth-json": "..." + } */ @@ -339,5 +341,23 @@ func provisionFiles(cmd *cobra.Command, args []string) error { return err } + // Copy the authJson to the authJsonFilePath + config := getConfigFromUserData(cfg.userData) + if config.AuthJson != "" { + // Create the file + file, err := os.Create(defaultAuthJsonFilePath) + if err != nil { + return fmt.Errorf("failed to create file: %s", err) + } + defer file.Close() + + // Write the authJson to the file + _, err = file.WriteString(config.AuthJson) + if err != nil { + return fmt.Errorf("failed to write authJson to file: %s", err) + } + + } + return nil } diff --git a/cmd/process-user-data/types.go b/cmd/process-user-data/types.go index f7759f1e0b..3c874bebe3 100644 --- a/cmd/process-user-data/types.go +++ b/cmd/process-user-data/types.go @@ -9,7 +9,9 @@ const ( AWSImdsUrl = "http://169.254.169.254/latest/meta-data/" AWSUserDataImdsUrl = "http://169.254.169.254/latest/user-data" - defaultAgentConfigPath = "/etc/agent-config.toml" + defaultAgentConfigPath = "/etc/agent-config.toml" + defaultAuthJsonFilePath = "/etc/auth.json" + offlineKbcAuthFile = "/etc/aa-offline_fs_kbc-resources.json" ) type Config struct { diff --git a/cmd/process-user-data/update.go b/cmd/process-user-data/update.go index 44d0c8efba..417eb5be02 100644 --- a/cmd/process-user-data/update.go +++ b/cmd/process-user-data/update.go @@ -106,6 +106,25 @@ func updateAgentConfig(cmd *cobra.Command, args []string) error { agentConfig.AaKbcParams = config.AAKBCParams } + if config.AuthJson != "" { + + fmt.Printf("Updating image_registry_auth_file in agent config file with value\n") + + // Check if authJsonFilePath exists. If it doesn't exists create the file + + if _, err := os.Stat(defaultAuthJsonFilePath); err != nil && os.IsNotExist(err) { + // Write the authJson to the defaultAuthJsonFilePath + err = os.WriteFile(defaultAuthJsonFilePath, []byte(config.AuthJson), 0644) + if err != nil { + return fmt.Errorf("failed to write auth.json file: %s", err) + } + } + + // Update the file path in the agent config + agentConfig.ImageRegistryAuthFile = "file://" + defaultAuthJsonFilePath + + } + // Write the updated agent config file err = writeAgentConfig(*agentConfig, cfg.agentConfigPath) if err != nil { diff --git a/pkg/adaptor/cloud/cloud.go b/pkg/adaptor/cloud/cloud.go index 535dbd061f..8917f07be0 100644 --- a/pkg/adaptor/cloud/cloud.go +++ b/pkg/adaptor/cloud/cloud.go @@ -225,6 +225,13 @@ func (s *cloudService) CreateVM(ctx context.Context, req *pb.CreateVMRequest) (r daemonConfig.AAKBCParams = s.aaKBCParams } + // Check if auth json file is present + if authJSON, err := os.ReadFile(cloudinit.DefaultAuthfileSrcPath); err == nil { + daemonConfig.AuthJson = string(authJSON) + } else { + logger.Printf("Credentials file is not in a valid Json format, ignored") + } + daemonJSON, err := json.MarshalIndent(daemonConfig, "", " ") if err != nil { return nil, fmt.Errorf("generating JSON data: %w", err) @@ -246,20 +253,6 @@ func (s *cloudService) CreateVM(ctx context.Context, req *pb.CreateVMRequest) (r }, } - if authJSON, err := os.ReadFile(cloudinit.DefaultAuthfileSrcPath); err == nil { - if json.Valid(authJSON) && (len(authJSON) < cloudinit.DefaultAuthfileLimit) { - cloudConfig.WriteFiles = append(cloudConfig.WriteFiles, - cloudinit.WriteFile{ - Path: cloudinit.DefaultAuthfileDstPath, - Content: cloudinit.AuthJSONToResourcesJSON(string(authJSON)), - }) - } else if len(authJSON) >= cloudinit.DefaultAuthfileLimit { - logger.Printf("Credentials file size (%d) is too large to use as userdata, ignored", len(authJSON)) - } else { - logger.Printf("Credentials file is not in a valid Json format, ignored") - } - } - sandbox := &sandbox{ id: sid, podName: pod, diff --git a/pkg/forwarder/forwarder.go b/pkg/forwarder/forwarder.go index e1725917d2..9d04d2ff04 100644 --- a/pkg/forwarder/forwarder.go +++ b/pkg/forwarder/forwarder.go @@ -44,6 +44,8 @@ type Config struct { TLSClientCA string `json:"tls-client-ca,omitempty"` AAKBCParams string `json:"aa-kbc-params,omitempty"` + + AuthJson string `json:"auth-json,omitempty"` } type Daemon interface { diff --git a/pkg/util/cloudinit/cloudconfig.go b/pkg/util/cloudinit/cloudconfig.go index a573212cc1..b8d1a6cd80 100644 --- a/pkg/util/cloudinit/cloudconfig.go +++ b/pkg/util/cloudinit/cloudconfig.go @@ -13,9 +13,9 @@ import ( const ( DefaultAuthfileSrcPath = "/root/containers/auth.json" - // image-rs fixed dst path for support at the agent, we convert it explictly to the resources file format - // e.g. https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/kbc/src/offline_fs_kbc/aa-offline_fs_kbc-resources.json - DefaultAuthfileDstPath = "/etc/aa-offline_fs_kbc-resources.json" + + // Location of the container registry auth json file + DefaultAuthfileDstPath = "/etc/attestation-agent/auth.json" DefaultAuthfileLimit = 12288 // TODO: use a whole userdata limit mechanism instead of limiting authfile DefaultAAKBCParamsPath = "/etc/attestation-agent/kbc-params.json" )