Allow KBS secret resources to be provided via K8s secrets

KbsSecretResources entry in the CRD allows to specify the K8s secrets that needs to be made available to the KBS clients. Each secret name is mounted as follows: /opt/confidential-containers/kbs/repository/default/<secret-name-1>/key1 /opt/confidential-containers/kbs/repository/default/<secret-name-1>/key2 /opt/confidential-containers/kbs/repository/default/<secret-name-2>/key1 Signed-off-by: Pradipta Banerjee <[email protected]>
confidential-containers · Mar 1, 2024 · e7fbff8 · e7fbff8
1 parent 659fa03
commit e7fbff8
Show file tree

Hide file tree

Showing 8 changed files with 138 additions and 12 deletions.
diff --git a/api/v1alpha1/kbsconfig_types.go b/api/v1alpha1/kbsconfig_types.go
@@ -67,6 +67,9 @@ type KbsConfigSpec struct {
 
 	// KbsHttpsCertSecretName is the name of the secret that contains the KBS https certificate
 	KbsHttpsCertSecretName string `json:"kbsHttpsCertSecretName,omitempty"`
+
+	// KbsSecretResources is an array of secret names that contain the keys required by clients
+	KbsSecretResources []string `json:"kbsSecretResources,omitempty"`
 }
 
 // KbsConfigStatus defines the observed state of KbsConfig

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/confidentialcontainers.org_kbsconfigs.yaml b/config/crd/bases/confidentialcontainers.org_kbsconfigs.yaml
@@ -65,6 +65,12 @@ spec:
                 description: KbsRvpsConfigMapName is the name of the configmap that
                   contains the KBS RVPS configuration
                 type: string
+              kbsSecretResources:
+                description: KbsSecretResources is an array of secret names that contain
+                  the keys required by clients
+                items:
+                  type: string
+                type: array
               kbsServiceType:
                 description: KbsServiceType is the type of service to create for KBS
                 type: string

diff --git a/config/manifests/bases/kbs-operator.clusterserviceversion.yaml b/config/manifests/bases/kbs-operator.clusterserviceversion.yaml
@@ -0,0 +1,53 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: ClusterServiceVersion
+metadata:
+  annotations:
+    alm-examples: '[]'
+    capabilities: Basic Install
+  name: kbs-operator.v0.0.0
+  namespace: placeholder
+spec:
+  apiservicedefinitions: {}
+  customresourcedefinitions:
+    owned:
+    - description: KbsConfig is the Schema for the kbsconfigs API
+      displayName: Kbs Config
+      kind: KbsConfig
+      name: kbsconfigs.confidentialcontainers.org
+      version: v1alpha1
+  description: Operator to manage the lifecycle of Key Broker Service (KBS)
+  displayName: KBS Operator
+  icon:
+  - base64data: ""
+    mediatype: ""
+  install:
+    spec:
+      deployments: null
+    strategy: ""
+  installModes:
+  - supported: false
+    type: OwnNamespace
+  - supported: false
+    type: SingleNamespace
+  - supported: false
+    type: MultiNamespace
+  - supported: true
+    type: AllNamespaces
+  keywords:
+  - kbs
+  - kbs-operator
+  - attestation-service
+  - rvps
+  links:
+  - name: Kbs Operator
+    url: https://kbs-operator.domain
+  maintainers:
+  - email: [email protected]
+    name: Pradipta Banerjee
+  - email: ' [email protected]'
+    name: Jens Freimann
+  maturity: alpha
+  provider:
+    name: Confidential Containers Community
+    url: https://github.com/confidential-containers
+  version: 0.0.0
diff --git a/config/samples/all-in-one/kbsconfig_sample.yaml b/config/samples/all-in-one/kbsconfig_sample.yaml
@@ -13,7 +13,4 @@ spec:
   kbsConfigMapName: kbs-config
   kbsAuthSecretName: kbs-auth-public-key
   kbsDeploymentType: AllInOneDeployment
-
-
-
-
+  kbsSecretResources: []
diff --git a/config/samples/microservices/kbsconfig_sample.yaml b/config/samples/microservices/kbsconfig_sample.yaml
@@ -20,3 +20,4 @@ spec:
   kbsDeploymentType: MicroservicesDeployment
   #kbsHttpsKeySecretName: kbs-https-key
   #kbsHttpsCertSecretName: kbs-https-certificate
+  kbsSecretResources: []
diff --git a/controllers/common.go b/controllers/common.go
@@ -38,6 +38,9 @@ const (
 
 	// KBS service name
 	KbsServiceName = "kbs-service"
+
+	// Default KBS Resources Path
+	kbsResourcesPath = "/opt/confidential-containers/kbs/repository/default"
 )
 
 func contains(list []string, s string) bool {

diff --git a/controllers/kbsconfig_controller.go b/controllers/kbsconfig_controller.go
@@ -21,6 +21,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"path/filepath"
 
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -206,7 +207,7 @@ func (r *KbsConfigReconciler) deployOrUpdateKbsService(ctx context.Context) erro
 }
 
 // newKbsService returns a new service for the KBS instance
-func (r *KbsConfigReconciler) newKbsService(ctx context.Context) *corev1.Service {
+func (r *KbsConfigReconciler) newKbsService(_ context.Context) *corev1.Service {
 	// Get the service type from the KbsConfig instance
 	serviceType := r.kbsConfig.Spec.KbsServiceType
 	// if the service type is not provided, default to ClusterIP
@@ -308,21 +309,31 @@ func (r *KbsConfigReconciler) deployOrUpdateKbsDeployment(ctx context.Context) e
 }
 
 func (r *KbsConfigReconciler) buildKbsVolumeMounts(ctx context.Context, volumes []corev1.Volume) ([]corev1.Volume, []corev1.VolumeMount, error) {
-	var kbsVolumes []corev1.Volume
-	kbsVolumes, err := r.processKbsConfigMap(ctx, kbsVolumes)
+	var kbsEtcVolumes, kbsSecretResourceVolumes []corev1.Volume
+	kbsEtcVolumes, err := r.processKbsConfigMap(ctx, kbsEtcVolumes)
 	if err != nil {
 		return nil, nil, err
 	}
-	kbsVolumes, err = r.processAuthSecret(ctx, kbsVolumes)
+	kbsEtcVolumes, err = r.processAuthSecret(ctx, kbsEtcVolumes)
 	if err != nil {
 		return nil, nil, err
 	}
-	kbsVolumes, err = r.processHttpsSecret(ctx, kbsVolumes)
+	kbsEtcVolumes, err = r.processHttpsSecret(ctx, kbsEtcVolumes)
 	if err != nil {
 		return nil, nil, err
 	}
-	volumeMounts := volumesToVolumeMounts(kbsVolumes)
-	volumes = append(volumes, kbsVolumes...)
+	// All the above kbsVolumes gets mounted under "/etc" directory
+	volumeMounts := volumesToVolumeMounts(kbsEtcVolumes)
+	volumes = append(volumes, kbsEtcVolumes...)
+
+	kbsSecretResourceVolumes, err = r.processKbsSecretResources(ctx, kbsSecretResourceVolumes)
+	if err != nil {
+		return nil, nil, err
+	}
+	// Add the kbsSecretResourceVolumes to the volumesMounts
+	volumeMounts = append(volumeMounts, volumesToVolumeMountsCustom(kbsSecretResourceVolumes, kbsResourcesPath)...)
+	volumes = append(volumes, kbsSecretResourceVolumes...)
+
 	return volumes, volumeMounts, nil
 }
 
@@ -348,6 +359,7 @@ func (r *KbsConfigReconciler) buildRvpsVolumesMounts(ctx context.Context, volume
 	return volumes, volumeMounts, nil
 }
 
+// Method to add volumeMounts for KBS under "/etc" directory
 func volumesToVolumeMounts(volumes []corev1.Volume) []corev1.VolumeMount {
 	volumeMounts := []corev1.VolumeMount{}
 	for _, volume := range volumes {
@@ -359,6 +371,20 @@ func volumesToVolumeMounts(volumes []corev1.Volume) []corev1.VolumeMount {
 	return volumeMounts
 }
 
+// Method to add volumeMounts for KBS under custom directory
+func volumesToVolumeMountsCustom(volumes []corev1.Volume, mountPath string) []corev1.VolumeMount {
+	volumeMounts := []corev1.VolumeMount{}
+	for _, volume := range volumes {
+		// Create MountPath ensuring file path separators are handled correctly
+		mountPath := filepath.Join(mountPath, volume.Name)
+		volumeMounts = append(volumeMounts, corev1.VolumeMount{
+			Name:      volume.Name,
+			MountPath: mountPath,
+		})
+	}
+	return volumeMounts
+}
+
 // newKbsDeployment returns a new deployment for the KBS instance
 func (r *KbsConfigReconciler) newKbsDeployment(ctx context.Context) *appsv1.Deployment {
 	// Set replica count
@@ -721,6 +747,38 @@ func (r *KbsConfigReconciler) processKbsConfigMap(ctx context.Context, volumes [
 	return volumes, nil
 }
 
+// Method to add KbsSecretResources to the KBS volumes
+
+func (r *KbsConfigReconciler) processKbsSecretResources(ctx context.Context, volumes []corev1.Volume) ([]corev1.Volume, error) {
+	if r.kbsConfig.Spec.KbsSecretResources != nil {
+		for _, secretResource := range r.kbsConfig.Spec.KbsSecretResources {
+			foundSecret := &corev1.Secret{}
+			err := r.Client.Get(ctx, client.ObjectKey{
+				Namespace: r.namespace,
+				Name:      secretResource,
+			}, foundSecret)
+			if err != nil && k8serrors.IsNotFound(err) {
+				r.log.Error(err, "KbsSecretResource does not exist", "Secret.Namespace", r.namespace, "Secret.Name", secretResource)
+				return nil, err
+			} else if err != nil {
+				r.log.Error(err, "Failed to get KBS Secret Resource")
+				return nil, err
+			}
+
+			volumes = append(volumes, corev1.Volume{
+				Name: secretResource,
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						SecretName: secretResource,
+					},
+				},
+			})
+		}
+	}
+	return volumes, nil
+
+}
+
 // updateKbsDeployment updates an existing deployment for the KBS instance
 func (r *KbsConfigReconciler) updateKbsDeployment(ctx context.Context, deployment *appsv1.Deployment) error {
 	err := r.Client.Update(ctx, deployment)