Skip to content

Commit

Permalink
Merge pull request #42 from lmilleri/logging
Browse files Browse the repository at this point in the history
Logging configuration enablement
  • Loading branch information
bpradipt authored Aug 27, 2024
2 parents df40c94 + 44be2c7 commit 1f7b37e
Show file tree
Hide file tree
Showing 12 changed files with 86 additions and 16 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,8 @@ You’ll need a Kubernetes cluster to run against. You can use [KIND](https://si

It is recommended to uncomment the secret generation for the trustee authorization in the [kustomization.yaml](config/samples/microservices/kustomization.yaml), for both public and private key (`kbs-auth-public-key` and `kbs-client` secrets)

For enabling logs with DEBUG severity, uncomment the `patch-env-vars.yaml` line in the [kustomization.yaml](config/samples/microservices/kustomization.yaml).

```sh
cd config/samples/microservices
# or config/samples/all-in-one for the integrated mode
Expand Down
5 changes: 5 additions & 0 deletions api/v1alpha1/kbsconfig_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,11 @@ type KbsConfigSpec struct {
// IbmSEConfigSpec is the struct that hosts the IBMSE specific configuration
// +optional
IbmSEConfigSpec IbmSEConfigSpec `json:"ibmSEConfigSpec,omitempty"`

// KbsEnvVars injects environment variables in the trustee pods
// For example, RUST_LOG=debug enables logging with DEBUG severity
// +optional
KbsEnvVars map[string]string `json:"KbsEnvVars,omitempty"`
}

// KbsConfigStatus defines the observed state of KbsConfig
Expand Down
7 changes: 7 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 7 additions & 0 deletions bundle/manifests/confidentialcontainers.org_kbsconfigs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,13 @@ spec:
spec:
description: KbsConfigSpec defines the desired state of KbsConfig
properties:
KbsEnvVars:
additionalProperties:
type: string
description: |-
KbsEnvVars injects environment variables in the trustee pods
For example, RUST_LOG=debug enables logging with DEBUG severity
type: object
ibmSEConfigSpec:
description: IbmSEConfigSpec is the struct that hosts the IBMSE specific
configuration
Expand Down
14 changes: 14 additions & 0 deletions bundle/manifests/ibmse-resource-policy-sample_v1_configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: v1
data:
policy.rego: |
package policy
default allow = false
path := split(data["resource-path"], "/")
allow {
count(path) == 3
input["tee"] == "se"
}
kind: ConfigMap
metadata:
name: ibmse-resource-policy-sample
6 changes: 4 additions & 2 deletions bundle/manifests/trustee-operator.clusterserviceversion.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,16 @@ metadata:
"kbsDeploymentType": "AllInOneDeployment",
"kbsResourcePolicyConfigMapName": "resource-policy",
"kbsRvpsRefValuesConfigMapName": "rvps-reference-values",
"kbsTdxConfigMapName": "tdx-config"
"tdxConfigSpec": {
"kbsTdxConfigMapName": "tdx-config"
}
}
}
]
capabilities: Basic Install
categories: Security
containerImage: quay.io/confidential-containers/trustee-operator:v0.1.0
createdAt: "2024-08-01T11:52:16Z"
createdAt: "2024-08-13T13:05:23Z"
operators.operatorframework.io/builder: operator-sdk-v1.33.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
support: Confidential Containers Community
Expand Down
7 changes: 7 additions & 0 deletions config/crd/bases/confidentialcontainers.org_kbsconfigs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,13 @@ spec:
spec:
description: KbsConfigSpec defines the desired state of KbsConfig
properties:
KbsEnvVars:
additionalProperties:
type: string
description: |-
KbsEnvVars injects environment variables in the trustee pods
For example, RUST_LOG=debug enables logging with DEBUG severity
type: object
ibmSEConfigSpec:
description: IbmSEConfigSpec is the struct that hosts the IBMSE specific
configuration
Expand Down
2 changes: 2 additions & 0 deletions config/samples/all-in-one/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ patches:
- path: patch-tdx-config.yaml
# uncomment the following line for injecting sample resources in kbs
#- path: patch-kbs-resources.yaml
# uncomment the following line for enabling DEBUG logs
# - path: patch-env-vars.yaml

resources:
- kbsconfig_sample.yaml
Expand Down
8 changes: 8 additions & 0 deletions config/samples/all-in-one/patch-env-vars.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: confidentialcontainers.org/v1alpha1
kind: KbsConfig
metadata:
name: kbsconfig-sample
namespace: kbs-operator-system
spec:
KbsEnvVars:
RUST_LOG: debug
2 changes: 2 additions & 0 deletions config/samples/microservices/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ patches:
- path: patch-tdx-config.yaml
# uncomment the following line for injecting sample resources in kbs
#- path: patch-kbs-resources.yaml
# uncomment the following line for enabling DEBUG logs
#- path: patch-env-vars.yaml

resources:
- kbsconfig_sample.yaml
Expand Down
8 changes: 8 additions & 0 deletions config/samples/microservices/patch-env-vars.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: confidentialcontainers.org/v1alpha1
kind: KbsConfig
metadata:
name: kbsconfig-sample
namespace: kbs-operator-system
spec:
KbsEnvVars:
RUST_LOG: debug
34 changes: 20 additions & 14 deletions internal/controller/kbsconfig_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -477,13 +477,14 @@ func (r *KbsConfigReconciler) newKbsDeployment(ctx context.Context) (*appsv1.Dep
}

securityContext := createSecurityContext()
containers := []corev1.Container{r.buildKbsContainer(kbsVM, securityContext)}
env := buildEnvVars(r)
containers := []corev1.Container{r.buildKbsContainer(kbsVM, securityContext, env)}

if kbsDeploymentType == confidentialcontainersorgv1alpha1.DeploymentTypeMicroservices {
// build AS container
containers = append(containers, r.buildAsContainer(asVM, securityContext))
containers = append(containers, r.buildAsContainer(asVM, securityContext, env))
// build RVPS container
containers = append(containers, r.buildRvpsContainer(rvpsVM, securityContext))
containers = append(containers, r.buildRvpsContainer(rvpsVM, securityContext, env))
}

// Create the deployment
Expand Down Expand Up @@ -534,7 +535,7 @@ func createSecurityContext() *corev1.SecurityContext {
}
}

func (r *KbsConfigReconciler) buildAsContainer(volumeMounts []corev1.VolumeMount, securityContext *corev1.SecurityContext) corev1.Container {
func (r *KbsConfigReconciler) buildAsContainer(volumeMounts []corev1.VolumeMount, securityContext *corev1.SecurityContext, env []corev1.EnvVar) corev1.Container {
asImageName := os.Getenv("AS_IMAGE_NAME")
if asImageName == "" {
asImageName = DefaultAsImageName
Expand Down Expand Up @@ -563,10 +564,11 @@ func (r *KbsConfigReconciler) buildAsContainer(volumeMounts []corev1.VolumeMount
SecurityContext: securityContext,
// Add volume mount for config
VolumeMounts: volumeMounts,
Env: env,
}
}

func (r *KbsConfigReconciler) buildRvpsContainer(volumeMounts []corev1.VolumeMount, securityContext *corev1.SecurityContext) corev1.Container {
func (r *KbsConfigReconciler) buildRvpsContainer(volumeMounts []corev1.VolumeMount, securityContext *corev1.SecurityContext, env []corev1.EnvVar) corev1.Container {
rvpsImageName := os.Getenv("RVPS_IMAGE_NAME")
if rvpsImageName == "" {
rvpsImageName = DefaultRvpsImageName
Expand All @@ -593,10 +595,11 @@ func (r *KbsConfigReconciler) buildRvpsContainer(volumeMounts []corev1.VolumeMou
SecurityContext: securityContext,
// Add volume mount for config
VolumeMounts: volumeMounts,
Env: env,
}
}

func (r *KbsConfigReconciler) buildKbsContainer(volumeMounts []corev1.VolumeMount, securityContext *corev1.SecurityContext) corev1.Container {
func (r *KbsConfigReconciler) buildKbsContainer(volumeMounts []corev1.VolumeMount, securityContext *corev1.SecurityContext, env []corev1.EnvVar) corev1.Container {
// Get Image Name from env variable if set
imageName := os.Getenv("KBS_IMAGE_NAME")
if imageName == "" {
Expand Down Expand Up @@ -624,15 +627,18 @@ func (r *KbsConfigReconciler) buildKbsContainer(volumeMounts []corev1.VolumeMoun
SecurityContext: securityContext,
// Add volume mount for KBS config
VolumeMounts: volumeMounts,
/* TODO commented out because not configurable yet
Env: []corev1.EnvVar{
{
Name: "RUST_LOG",
Value: "debug",
},
},
*/
Env: env,
}
}

func buildEnvVars(r *KbsConfigReconciler) []corev1.EnvVar {
env := make([]corev1.EnvVar, 0)
if r.kbsConfig.Spec.KbsEnvVars != nil {
for k, v := range r.kbsConfig.Spec.KbsEnvVars {
env = append(env, corev1.EnvVar{Name: k, Value: v})
}
}
return env
}

func (r *KbsConfigReconciler) isHttpsConfigPresent() bool {
Expand Down

0 comments on commit 1f7b37e

Please sign in to comment.