Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for TDX specific configuration #35

Merged
merged 4 commits into from
Jul 3, 2024
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add support for TDX specific configuration
The config file /etc/sgx_default_qcnl.conf can be overriden by
creating the correspondent config map

Signed-off-by: Leonardo Milleri <lmilleri@redhat.com>
lmilleri committed Jul 2, 2024
commit 7ef8b115e15eb6e43e1703004666cbefaa7a1933
15 changes: 13 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -47,8 +47,17 @@ type KbsConfigSpec struct {
// KbsSecretResources is an array of secret names that contain the keys required by clients
KbsSecretResources []string `json:"kbsSecretResources,omitempty"`

// kbsResourcePolicyConfigMapName is the name of the configmap that contains the Resource Policy
KbsResourcePolicyConfigMapName string `json:"kbsResourcePolicyConfigMapName,omitempty"`
// kbsResourcePolicyConfigMapName is the name of the configmap that contains the Resource Policy
KbsResourcePolicyConfigMapName string `json:"kbsResourcePolicyConfigMapName,omitempty"`

// tdxConfigSpec is the struct that hosts the TDX specific configuration
TdxConfigSpec TdxConfigSpec `json:"tdxConfigSpec,omitempty"`
}

// TdxConfigSpec defines the desired state for TDX configuration
type TdxConfigSpec struct {
// kbsTdxConfigMapName is the name of the configmap containing sgx_default_qcnl.conf file
KbsTdxConfigMapName string `json:"kbsTdxConfigMapName,omitempty"`
}
```

@@ -138,6 +147,8 @@ spec:
kbsSecretResources: ["kbsres1"]
# Resource policy
kbsResourcePolicyConfigMapName: resource-policy
# TDX configuration file
kbsTdxConfigMapName: tdx-config
```

## Getting Started
9 changes: 9 additions & 0 deletions api/v1alpha1/kbsconfig_types.go
Original file line number Diff line number Diff line change
@@ -36,6 +36,12 @@ const (
DeploymentTypeMicroservices DeploymentType = "MicroservicesDeployment"
)

// TdxConfigSpec defines the desired state for TDX configuration
type TdxConfigSpec struct {
// kbsTdxConfigMapName is the name of the configmap containing sgx_default_qcnl.conf file
KbsTdxConfigMapName string `json:"kbsTdxConfigMapName,omitempty"`
}

// KbsConfigSpec defines the desired state of KbsConfig
type KbsConfigSpec struct {
// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
@@ -76,6 +82,9 @@ type KbsConfigSpec struct {

// kbsResourcePolicyConfigMapName is the name of the configmap that contains the Resource Policy
KbsResourcePolicyConfigMapName string `json:"kbsResourcePolicyConfigMapName,omitempty"`

// tdxConfigSpec is the struct that hosts the TDX specific configuration
TdxConfigSpec TdxConfigSpec `json:"tdxConfigSpec,omitempty"`
}

// KbsConfigStatus defines the observed state of KbsConfig
16 changes: 16 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 9 additions & 0 deletions bundle/manifests/confidentialcontainers.org_kbsconfigs.yaml
Original file line number Diff line number Diff line change
@@ -87,6 +87,15 @@ spec:
kbsServiceType:
description: KbsServiceType is the type of service to create for KBS
type: string
tdxConfigSpec:
description: tdxConfigSpec is the struct that hosts the TDX specific
configuration
properties:
kbsTdxConfigMapName:
description: kbsTdxConfigMapName is the name of the configmap
containing sgx_default_qcnl.conf file
type: string
type: object
type: object
status:
description: KbsConfigStatus defines the observed state of KbsConfig
13 changes: 13 additions & 0 deletions bundle/manifests/tdx-config-sample_v1_configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v1
data:
sgx_default_qcnl.conf: |
{
"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",
"pccs_url": "https://api.trustedservices.intel.com/sgx/certification/v4/"
// "pccs_url": "https://localhost:8081/sgx/certification/v4/",
// To accept insecure HTTPS certificate, set this option to false
// "use_secure_cert": false
}
kind: ConfigMap
metadata:
name: tdx-config-sample
Original file line number Diff line number Diff line change
@@ -23,14 +23,15 @@ metadata:
"kbsConfigMapName": "kbs-config",
"kbsDeploymentType": "AllInOneDeployment",
"kbsResourcePolicyConfigMapName": "resource-policy",
"kbsRvpsRefValuesConfigMapName": "rvps-reference-values"
"kbsRvpsRefValuesConfigMapName": "rvps-reference-values",
"kbsTdxConfigMapName": "tdx-config"
}
}
]
capabilities: Basic Install
categories: Security
containerImage: quay.io/confidential-containers/trustee-operator:v0.1.0
createdAt: "2024-06-26T09:55:58Z"
createdAt: "2024-06-26T10:00:49Z"
operators.operatorframework.io/builder: operator-sdk-v1.33.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
support: Confidential Containers Community
9 changes: 9 additions & 0 deletions config/crd/bases/confidentialcontainers.org_kbsconfigs.yaml
Original file line number Diff line number Diff line change
@@ -87,6 +87,15 @@ spec:
kbsServiceType:
description: KbsServiceType is the type of service to create for KBS
type: string
tdxConfigSpec:
description: tdxConfigSpec is the struct that hosts the TDX specific
configuration
properties:
kbsTdxConfigMapName:
description: kbsTdxConfigMapName is the name of the configmap
containing sgx_default_qcnl.conf file
type: string
type: object
type: object
status:
description: KbsConfigStatus defines the observed state of KbsConfig
2 changes: 2 additions & 0 deletions config/samples/all-in-one/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -20,6 +20,7 @@ generatorOptions:
patches:
- path: patch-ref-values.yaml
- path: patch-resource-policy.yaml
- path: patch-tdx-config.yaml
# uncomment the following line for injecting sample resources in kbs
#- path: patch-kbs-resources.yaml

@@ -28,4 +29,5 @@ resources:
- kbs-config.yaml
- rvps-reference-values.yaml
- resource-policy.yaml
- tdx-config.yaml
#+kubebuilder:scaffold:manifestskustomizesamples
7 changes: 7 additions & 0 deletions config/samples/all-in-one/patch-tdx-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: confidentialcontainers.org/v1alpha1
kind: KbsConfig
metadata:
name: kbsconfig-sample
namespace: kbs-operator-system
spec:
kbsTdxConfigMapName: tdx-config
14 changes: 14 additions & 0 deletions config/samples/all-in-one/tdx-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: tdx-config
namespace: kbs-operator-system
data:
sgx_default_qcnl.conf: |
{
"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",
"pccs_url": "https://api.trustedservices.intel.com/sgx/certification/v4/"
// "pccs_url": "https://localhost:8081/sgx/certification/v4/",
// To accept insecure HTTPS certificate, set this option to false
// "use_secure_cert": false
}
2 changes: 2 additions & 0 deletions config/samples/microservices/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -21,6 +21,7 @@ generatorOptions:
patches:
- path: patch-ref-values.yaml
- path: patch-resource-policy.yaml
- path: patch-tdx-config.yaml
# uncomment the following line for injecting sample resources in kbs
#- path: patch-kbs-resources.yaml

@@ -31,4 +32,5 @@ resources:
- rvps-config.yaml
- rvps-reference-values.yaml
- resource-policy.yaml
- tdx-config.yaml
#+kubebuilder:scaffold:manifestskustomizesamples
7 changes: 7 additions & 0 deletions config/samples/microservices/patch-tdx-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: confidentialcontainers.org/v1alpha1
kind: KbsConfig
metadata:
name: kbsconfig-sample
namespace: kbs-operator-system
spec:
kbsTdxConfigMapName: tdx-config
14 changes: 14 additions & 0 deletions config/samples/microservices/tdx-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: tdx-config
namespace: kbs-operator-system
data:
sgx_default_qcnl.conf: |
{
"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",
"pccs_url": "https://api.trustedservices.intel.com/sgx/certification/v4/"
// "pccs_url": "https://localhost:8081/sgx/certification/v4/",
// To accept insecure HTTPS certificate, set this option to false
// "use_secure_cert": false
}
3 changes: 3 additions & 0 deletions internal/controller/common.go
Original file line number Diff line number Diff line change
@@ -64,6 +64,9 @@ const (

// Default RVPS reference values Path
rvpsReferenceValuesPath = confidentialContainersPath + "/rvps"

// TDX config file
tdxConfigFile = "sgx_default_qcnl.conf"
)

func contains(list []string, s string) bool {
12 changes: 11 additions & 1 deletion internal/controller/kbsconfig_controller.go
Original file line number Diff line number Diff line change
@@ -367,6 +367,15 @@ func (r *KbsConfigReconciler) newKbsDeployment(ctx context.Context) (*appsv1.Dep
volumes = append(volumes, *volume)
kbsVM = append(kbsVM, volumeMount)

// TDX specific configuration
volume, err = r.createConfigMapVolume(ctx, "tdx-config", r.kbsConfig.Spec.TdxConfigSpec.KbsTdxConfigMapName)
if err != nil {
return nil, err
}
volumeMount = createVolumeMountWithSubpath(volume.Name, filepath.Join(kbsDefaultConfigPath, tdxConfigFile), tdxConfigFile)
volumes = append(volumes, *volume)
kbsVM = append(kbsVM, volumeMount)

// auth-secret
volume, err = r.createSecretVolume(ctx, "auth-secret", r.kbsConfig.Spec.KbsAuthSecretName)
if err != nil {
@@ -690,7 +699,8 @@ func configMapToKbsConfigMapper(c client.Client, log logr.Logger) (handler.MapFu
kbsConfig.Spec.KbsAsConfigMapName == configMap.Name ||
kbsConfig.Spec.KbsRvpsConfigMapName == configMap.Name ||
kbsConfig.Spec.KbsRvpsRefValuesConfigMapName == configMap.Name ||
kbsConfig.Spec.KbsResourcePolicyConfigMapName == configMap.Name {
kbsConfig.Spec.KbsResourcePolicyConfigMapName == configMap.Name ||
kbsConfig.Spec.TdxConfigSpec.KbsTdxConfigMapName == configMap.Name {

requests = append(requests, reconcile.Request{
NamespacedName: types.NamespacedName{
8 changes: 8 additions & 0 deletions internal/controller/volumes.go
Original file line number Diff line number Diff line change
@@ -122,3 +122,11 @@ func createVolumeMount(volumeName string, mountPath string) corev1.VolumeMount {
MountPath: mountPath,
}
}

func createVolumeMountWithSubpath(volumeName string, mountPath string, subPath string) corev1.VolumeMount {
return corev1.VolumeMount{
Name: volumeName,
MountPath: mountPath,
SubPath: subPath,
}
}