From dc1ac4756b85d0fea1d6630a8d13b1afaa83aa64 Mon Sep 17 00:00:00 2001
From: Leonardo Milleri <lmilleri@redhat.com>
Date: Wed, 19 Jun 2024 08:56:51 +0100
Subject: [PATCH] Add support for resource policy

Resource policy can be updated in Trustee
using the correspondent config map

Signed-off-by: Leonardo Milleri <lmilleri@redhat.com>
---
 README.md                                           |  5 +++++
 api/v1alpha1/kbsconfig_types.go                     |  3 +++
 .../confidentialcontainers.org_kbsconfigs.yaml      |  4 ++++
 .../resource-policy-sample_v1_configmap.yaml        | 12 ++++++++++++
 .../confidentialcontainers.org_kbsconfigs.yaml      |  4 ++++
 config/samples/all-in-one/kustomization.yaml        |  2 ++
 .../samples/all-in-one/patch-resource-policy.yaml   |  7 +++++++
 config/samples/all-in-one/resource-policy.yaml      | 13 +++++++++++++
 config/samples/microservices/kustomization.yaml     |  2 ++
 .../microservices/patch-resource-policy.yaml        |  7 +++++++
 config/samples/microservices/resource-policy.yaml   | 13 +++++++++++++
 internal/controller/kbsconfig_controller.go         |  9 +++++++++
 12 files changed, 81 insertions(+)
 create mode 100644 bundle/manifests/resource-policy-sample_v1_configmap.yaml
 create mode 100644 config/samples/all-in-one/patch-resource-policy.yaml
 create mode 100644 config/samples/all-in-one/resource-policy.yaml
 create mode 100644 config/samples/microservices/patch-resource-policy.yaml
 create mode 100644 config/samples/microservices/resource-policy.yaml

diff --git a/README.md b/README.md
index ba4a5c1..f5242b7 100644
--- a/README.md
+++ b/README.md
@@ -46,6 +46,9 @@ type KbsConfigSpec struct {
 
   // KbsSecretResources is an array of secret names that contain the keys required by clients
   KbsSecretResources []string `json:"kbsSecretResources,omitempty"`
+
+// kbsResourcePolicyConfigMapName is the name of the configmap that contains the Resource Policy
+	KbsResourcePolicyConfigMapName string `json:"kbsResourcePolicyConfigMapName,omitempty"`
 }
 ```
 
@@ -133,6 +136,8 @@ spec:
   kbsHttpsCertSecretName: kbs-https-certificate
   # K8s Secrets to be made available to KBS clients
   kbsSecretResources: ["kbsres1"]
+  # Resource policy
+  kbsResourcePolicyConfigMapName: resource-policy
 ```
 
 ## Getting Started
diff --git a/api/v1alpha1/kbsconfig_types.go b/api/v1alpha1/kbsconfig_types.go
index feca67f..6cecc34 100644
--- a/api/v1alpha1/kbsconfig_types.go
+++ b/api/v1alpha1/kbsconfig_types.go
@@ -73,6 +73,9 @@ type KbsConfigSpec struct {
 
 	// KbsSecretResources is an array of secret names that contain the keys required by clients
 	KbsSecretResources []string `json:"kbsSecretResources,omitempty"`
+
+	// kbsResourcePolicyConfigMapName is the name of the configmap that contains the Resource Policy
+	KbsResourcePolicyConfigMapName string `json:"kbsResourcePolicyConfigMapName,omitempty"`
 }
 
 // KbsConfigStatus defines the observed state of KbsConfig
diff --git a/bundle/manifests/confidentialcontainers.org_kbsconfigs.yaml b/bundle/manifests/confidentialcontainers.org_kbsconfigs.yaml
index 9772a07..0263c82 100644
--- a/bundle/manifests/confidentialcontainers.org_kbsconfigs.yaml
+++ b/bundle/manifests/confidentialcontainers.org_kbsconfigs.yaml
@@ -66,6 +66,10 @@ spec:
                 description: KbsHttpsKeySecretName is the name of the secret that
                   contains the KBS https private key
                 type: string
+              kbsResourcePolicyConfigMapName:
+                description: kbsResourcePolicyConfigMapName is the name of the configmap
+                  that contains the Resource Policy
+                type: string
               kbsRvpsConfigMapName:
                 description: KbsRvpsConfigMapName is the name of the configmap that
                   contains the KBS RVPS configuration
diff --git a/bundle/manifests/resource-policy-sample_v1_configmap.yaml b/bundle/manifests/resource-policy-sample_v1_configmap.yaml
new file mode 100644
index 0000000..018e5a1
--- /dev/null
+++ b/bundle/manifests/resource-policy-sample_v1_configmap.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+data:
+  policy.rego: |
+    package policy
+
+    default allow = false
+    allow {
+            input["tcb-status"]["sample.svn"] == "1"
+    }
+kind: ConfigMap
+metadata:
+  name: resource-policy-sample
diff --git a/config/crd/bases/confidentialcontainers.org_kbsconfigs.yaml b/config/crd/bases/confidentialcontainers.org_kbsconfigs.yaml
index b87c782..cd470f0 100644
--- a/config/crd/bases/confidentialcontainers.org_kbsconfigs.yaml
+++ b/config/crd/bases/confidentialcontainers.org_kbsconfigs.yaml
@@ -66,6 +66,10 @@ spec:
                 description: KbsHttpsKeySecretName is the name of the secret that
                   contains the KBS https private key
                 type: string
+              kbsResourcePolicyConfigMapName:
+                description: kbsResourcePolicyConfigMapName is the name of the configmap
+                  that contains the Resource Policy
+                type: string
               kbsRvpsConfigMapName:
                 description: KbsRvpsConfigMapName is the name of the configmap that
                   contains the KBS RVPS configuration
diff --git a/config/samples/all-in-one/kustomization.yaml b/config/samples/all-in-one/kustomization.yaml
index 9c5df21..fc36896 100644
--- a/config/samples/all-in-one/kustomization.yaml
+++ b/config/samples/all-in-one/kustomization.yaml
@@ -19,6 +19,7 @@ generatorOptions:
 
 patches:
 - path: patch-ref-values.yaml
+- path: patch-resource-policy.yaml
 # uncomment the following line for injecting sample resources in kbs
 #- path: patch-kbs-resources.yaml
 
@@ -26,4 +27,5 @@ resources:
 - kbsconfig_sample.yaml
 - kbs-config.yaml
 - rvps-reference-values.yaml
+- resource-policy.yaml
 #+kubebuilder:scaffold:manifestskustomizesamples
diff --git a/config/samples/all-in-one/patch-resource-policy.yaml b/config/samples/all-in-one/patch-resource-policy.yaml
new file mode 100644
index 0000000..091a68b
--- /dev/null
+++ b/config/samples/all-in-one/patch-resource-policy.yaml
@@ -0,0 +1,7 @@
+apiVersion: confidentialcontainers.org/v1alpha1
+kind: KbsConfig
+metadata:
+  name: kbsconfig-sample
+  namespace: kbs-operator-system
+spec:
+  kbsResourcePolicyConfigMapName: resource-policy
diff --git a/config/samples/all-in-one/resource-policy.yaml b/config/samples/all-in-one/resource-policy.yaml
new file mode 100644
index 0000000..201f328
--- /dev/null
+++ b/config/samples/all-in-one/resource-policy.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: resource-policy
+  namespace: kbs-operator-system
+data:
+  policy.rego: |
+    package policy
+
+    default allow = false
+    allow {
+            input["tee"] != "sample"
+    }
diff --git a/config/samples/microservices/kustomization.yaml b/config/samples/microservices/kustomization.yaml
index 0eae0c9..3da8a07 100644
--- a/config/samples/microservices/kustomization.yaml
+++ b/config/samples/microservices/kustomization.yaml
@@ -20,6 +20,7 @@ generatorOptions:
 
 patches:
 - path: patch-ref-values.yaml
+- path: patch-resource-policy.yaml
 # uncomment the following line for injecting sample resources in kbs
 #- path: patch-kbs-resources.yaml
 
@@ -29,4 +30,5 @@ resources:
 - as-config.yaml
 - rvps-config.yaml
 - rvps-reference-values.yaml
+- resource-policy.yaml
 #+kubebuilder:scaffold:manifestskustomizesamples
diff --git a/config/samples/microservices/patch-resource-policy.yaml b/config/samples/microservices/patch-resource-policy.yaml
new file mode 100644
index 0000000..091a68b
--- /dev/null
+++ b/config/samples/microservices/patch-resource-policy.yaml
@@ -0,0 +1,7 @@
+apiVersion: confidentialcontainers.org/v1alpha1
+kind: KbsConfig
+metadata:
+  name: kbsconfig-sample
+  namespace: kbs-operator-system
+spec:
+  kbsResourcePolicyConfigMapName: resource-policy
diff --git a/config/samples/microservices/resource-policy.yaml b/config/samples/microservices/resource-policy.yaml
new file mode 100644
index 0000000..201f328
--- /dev/null
+++ b/config/samples/microservices/resource-policy.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: resource-policy
+  namespace: kbs-operator-system
+data:
+  policy.rego: |
+    package policy
+
+    default allow = false
+    allow {
+            input["tee"] != "sample"
+    }
diff --git a/internal/controller/kbsconfig_controller.go b/internal/controller/kbsconfig_controller.go
index f9b312c..cd80848 100644
--- a/internal/controller/kbsconfig_controller.go
+++ b/internal/controller/kbsconfig_controller.go
@@ -358,6 +358,15 @@ func (r *KbsConfigReconciler) newKbsDeployment(ctx context.Context) (*appsv1.Dep
 	volumes = append(volumes, *volume)
 	kbsVM = append(kbsVM, volumeMount)
 
+	// resource policy
+	volume, err = r.createConfigMapVolume(ctx, "opa", r.kbsConfig.Spec.KbsResourcePolicyConfigMapName)
+	if err != nil {
+		return nil, err
+	}
+	volumeMount = createVolumeMount(volume.Name, filepath.Join(confidentialContainersPath, volume.Name))
+	volumes = append(volumes, *volume)
+	kbsVM = append(kbsVM, volumeMount)
+
 	// auth-secret
 	volume, err = r.createSecretVolume(ctx, "auth-secret", r.kbsConfig.Spec.KbsAuthSecretName)
 	if err != nil {