diff --git a/README.md b/README.md index 664dc23..d7ea475 100644 --- a/README.md +++ b/README.md @@ -97,20 +97,29 @@ metadata: name: kbs-config-grpc namespace: trustee-operator-system data: - kbs-config.json: | - { - "insecure_http" : false, - "sockets": ["0.0.0.0:8080"], - "auth_public_key": "/etc/auth-secret/kbs.pem", - "private_key": "/etc/https-key/key.pem", - "certificate": "/etc/https-cert/cert.pem", - "attestation_token_config": { - "attestation_token_type": "CoCo" - }, - "grpc_config" : { - "as_addr": "http://127.0.0.1:50004" - } - } + kbs-config.toml: | + [http_server] + sockets = ["0.0.0.0:8080"] + insecure_http = true + [admin] + insecure_api = true + auth_public_key = "/etc/auth-secret/kbs.pem" + + [attestation_token] + insecure_key = true + + [attestation_service] + type = "coco_as_grpc" + as_addr = "http://127.0.0.1:50004" + + [[plugins]] + name = "resource" + type = "LocalFs" + dir_path = "/opt/confidential-containers/kbs/repository" + + [policy_engine] + policy_path = "/opt/confidential-containers/opa/policy.rego" + ``` If HTTPS support is not needed, please set `insecure_http=true` and no need to specify the attributes `private_key` and `certificate`. @@ -216,10 +225,6 @@ You’ll need a Kubernetes cluster to run against. You can use [KIND](https://si This is an example. Change it to real values as per your requirements. - It is recommended to uncomment the secret generation for the trustee authorization in the [kustomization.yaml](config/samples/microservices/kustomization.yaml), for both public and private key (`kbs-auth-public-key` and `kbs-client` secrets) - - For enabling logs with DEBUG severity, uncomment the `patch-env-vars.yaml` line in the [kustomization.yaml](config/samples/microservices/kustomization.yaml). - ```sh cd config/samples/microservices # or config/samples/all-in-one for the integrated mode diff --git a/config/samples/all-in-one/ita-kbs-config.yaml b/config/samples/all-in-one/ita-kbs-config.yaml index 5c4fd9f..76100ad 100644 --- a/config/samples/all-in-one/ita-kbs-config.yaml +++ b/config/samples/all-in-one/ita-kbs-config.yaml @@ -4,39 +4,29 @@ metadata: name: ita-kbs-config namespace: trustee-operator-system data: - kbs-config.json: | - { - "insecure_http" : true, - "sockets": ["0.0.0.0:8080"], - "auth_public_key": "/etc/auth-secret/kbs.pem", - "attestation_token_config": { - "attestation_token_type": "Jwk", - "trusted_certs_paths": ["https://portal.trustauthority.intel.com"] - }, - "repository_config": { - "type": "LocalFs", - "dir_path": "/opt/confidential-containers/kbs/repository" - }, - "as_config": { - "work_dir": "/opt/confidential-containers/attestation-service", - "policy_engine": "opa", - "attestation_token_broker": "Simple", - "attestation_token_config": { - "duration_min": 5 - }, - "rvps_config": { - "store_type": "LocalJson", - "store_config": { - "file_path": "/opt/confidential-containers/rvps/reference-values/reference-values.json" - } - } - }, - "policy_engine_config": { - "policy_path": "/opt/confidential-containers/opa/policy.rego" - }, - "intel_trust_authority_config" : { - "base_url": "https://api.trustauthority.intel.com", - "api_key": "tBfd5kKX2x9ahbodKV1...", - "certs_file": "https://portal.trustauthority.intel.com" - } - } + kbs-config.toml: | + [http_server] + sockets = ["0.0.0.0:8080"] + insecure_http = true + + [admin] + insecure_api = true + auth_public_key = "/etc/auth-secret/kbs.pem" + + [attestation_token] + trusted_jwk_sets = ["https://portal.trustauthority.intel.com"] + + [attestation_service] + type = "intel_ta" + base_url = "https://api.trustauthority.intel.com" + api_key = "tBfd5kKX2x9ahbodKV1..." + certs_file = "https://portal.trustauthority.intel.com" + allow_unmatched_policy = true + + [[plugins]] + name = "resource" + type = "LocalFs" + dir_path = "/opt/confidential-containers/kbs/repository" + + [policy_engine] + policy_path = "/opt/confidential-containers/opa/policy.rego" diff --git a/config/samples/all-in-one/kbs-config.yaml b/config/samples/all-in-one/kbs-config.yaml index 12c0040..8a3d19e 100644 --- a/config/samples/all-in-one/kbs-config.yaml +++ b/config/samples/all-in-one/kbs-config.yaml @@ -4,33 +4,37 @@ metadata: name: kbs-config namespace: trustee-operator-system data: - kbs-config.json: | - { - "insecure_http" : true, - "sockets": ["0.0.0.0:8080"], - "auth_public_key": "/etc/auth-secret/kbs.pem", - "attestation_token_config": { - "attestation_token_type": "CoCo" - }, - "repository_config": { - "type": "LocalFs", - "dir_path": "/opt/confidential-containers/kbs/repository" - }, - "as_config": { - "work_dir": "/opt/confidential-containers/attestation-service", - "policy_engine": "opa", - "attestation_token_broker": "Simple", - "attestation_token_config": { - "duration_min": 5 - }, - "rvps_config": { - "store_type": "LocalJson", - "store_config": { - "file_path": "/opt/confidential-containers/rvps/reference-values/reference-values.json" - } - } - }, - "policy_engine_config": { - "policy_path": "/opt/confidential-containers/opa/policy.rego" - } - } + kbs-config.toml: | + [http_server] + sockets = ["0.0.0.0:8080"] + insecure_http = true + + [admin] + insecure_api = true + auth_public_key = "/etc/auth-secret/kbs.pem" + + [attestation_token] + insecure_key = true + + [attestation_service] + type = "coco_as_builtin" + work_dir = "/opt/confidential-containers/attestation-service" + policy_engine = "opa" + [attestation_service.attestation_token_broker] + type = "Ear" + [attestation_service.attestation_token_config] + duration_min = 5 + [attestation_service.rvps_config] + type = "BuiltIn" + store_type = "LocalJson" + [attestation_service.rvps_config.store_config] + file_path = "/opt/confidential-containers/rvps/reference-values/reference-values.json" + + [[plugins]] + name = "resource" + type = "LocalFs" + dir_path = "/opt/confidential-containers/kbs/repository" + + [policy_engine] + policy_path = "/opt/confidential-containers/opa/policy.rego" + diff --git a/config/samples/all-in-one/kustomization.yaml b/config/samples/all-in-one/kustomization.yaml index 6032ef7..9b9e2ed 100644 --- a/config/samples/all-in-one/kustomization.yaml +++ b/config/samples/all-in-one/kustomization.yaml @@ -1,21 +1,22 @@ ## Append samples you want in your CSV to this file as resources ## +namespace: trustee-operator-system generatorOptions: disableNameSuffixHash: true # uncomment to generate secrets for kbs authorization -# secretGenerator: -# - name: kbs-auth-public-key -# files: -# - kbs.pem -# - name: kbs-client -# files: -# - privateKey +secretGenerator: +- name: kbs-auth-public-key + files: + - kbs.pem +- name: kbs-client + files: + - privateKey # uncomment the following lines for injecting sample resources in kbs -#- name: kbsres1 -# literals: -# - key1=res1val1 -# - key2=res1val2 +- name: kbsres1 + literals: + - key1=res1val1 + - key2=res1val2 patches: - path: patch-ref-values.yaml @@ -23,9 +24,9 @@ patches: - path: patch-resource-policy.yaml - path: patch-tdx-config.yaml # uncomment the following line for injecting sample resources in kbs -#- path: patch-kbs-resources.yaml +- path: patch-kbs-resources.yaml # uncomment the following line for enabling DEBUG logs -# - path: patch-env-vars.yaml +- path: patch-env-vars.yaml resources: - kbsconfig_sample.yaml diff --git a/config/samples/all-in-one/patch-ita-config.yaml b/config/samples/all-in-one/patch-ita-config.yaml index eb13aff..6452bf4 100644 --- a/config/samples/all-in-one/patch-ita-config.yaml +++ b/config/samples/all-in-one/patch-ita-config.yaml @@ -2,6 +2,6 @@ apiVersion: confidentialcontainers.org/v1alpha1 kind: KbsConfig metadata: name: kbsconfig-sample - namespace: kbs-operator-system + namespace: trustee-operator-system spec: kbsItaConfigMapName: ita-config diff --git a/config/samples/all-in-one/resource-policy.yaml b/config/samples/all-in-one/resource-policy.yaml index 72f6cfc..a43a95e 100644 --- a/config/samples/all-in-one/resource-policy.yaml +++ b/config/samples/all-in-one/resource-policy.yaml @@ -7,7 +7,4 @@ data: policy.rego: | package policy - default allow = false - allow { - input["tee"] != "sample" - } + default allow = true diff --git a/config/samples/microservices/as-config.yaml b/config/samples/microservices/as-config.yaml index 9d8ffb7..1b921e1 100644 --- a/config/samples/microservices/as-config.yaml +++ b/config/samples/microservices/as-config.yaml @@ -9,9 +9,12 @@ data: "work_dir": "/opt/confidential-containers/attestation-service", "policy_engine": "opa", "rvps_config": { + "type": "BuiltIn", "remote_addr":"http://127.0.0.1:50003" }, - "attestation_token_broker": "Simple", + "attestation_token_broker": { + "type": "Ear" + }, "attestation_token_config": { "duration_min": 5 } diff --git a/config/samples/microservices/ita-kbs-config.yaml b/config/samples/microservices/ita-kbs-config.yaml index b711560..b32f0d7 100644 --- a/config/samples/microservices/ita-kbs-config.yaml +++ b/config/samples/microservices/ita-kbs-config.yaml @@ -4,30 +4,29 @@ metadata: name: ita-kbs-config-grpc namespace: trustee-operator-system data: - kbs-config.json: | - { - "insecure_http" : true, - "sockets": ["0.0.0.0:8080"], - "auth_public_key": "/etc/auth-secret/kbs.pem", - "private_key": "/etc/https-key/key.pem", - "certificate": "/etc/https-cert/cert.pem", - "attestation_token_config": { - "attestation_token_type": "Jwk", - "trusted_certs_paths": ["https://portal.trustauthority.intel.com"] - }, - "grpc_config" : { - "as_addr": "http://127.0.0.1:50004" - }, - "repository_config": { - "type": "LocalFs", - "dir_path": "/opt/confidential-containers/kbs/repository" - }, - "policy_engine_config": { - "policy_path": "/opt/confidential-containers/opa/policy.rego" - }, - "intel_trust_authority_config" : { - "base_url": "https://api.trustauthority.intel.com", - "api_key": "tBfd5kKX2x9ahbodKV1...", - "certs_file": "https://portal.trustauthority.intel.com" - } - } + kbs-config.toml: | + [http_server] + sockets = ["0.0.0.0:8080"] + insecure_http = true + + [admin] + insecure_api = true + auth_public_key = "/etc/auth-secret/kbs.pem" + + [attestation_token] + trusted_jwk_sets = ["https://portal.trustauthority.intel.com"] + + [attestation_service] + type = "intel_ta" + base_url = "https://api.trustauthority.intel.com" + api_key = "tBfd5kKX2x9ahbodKV1..." + certs_file = "https://portal.trustauthority.intel.com" + allow_unmatched_policy = true + + [[plugins]] + name = "resource" + type = "LocalFs" + dir_path = "/opt/confidential-containers/kbs/repository" + + [policy_engine] + policy_path = "/opt/confidential-containers/opa/policy.rego" diff --git a/config/samples/microservices/kbs-config.yaml b/config/samples/microservices/kbs-config.yaml index 3104a79..5278f43 100644 --- a/config/samples/microservices/kbs-config.yaml +++ b/config/samples/microservices/kbs-config.yaml @@ -4,24 +4,26 @@ metadata: name: kbs-config-grpc namespace: trustee-operator-system data: - kbs-config.json: | - { - "insecure_http" : true, - "sockets": ["0.0.0.0:8080"], - "auth_public_key": "/etc/auth-secret/kbs.pem", - "private_key": "/etc/https-key/key.pem", - "certificate": "/etc/https-cert/cert.pem", - "attestation_token_config": { - "attestation_token_type": "CoCo" - }, - "grpc_config" : { - "as_addr": "http://127.0.0.1:50004" - }, - "repository_config": { - "type": "LocalFs", - "dir_path": "/opt/confidential-containers/kbs/repository" - }, - "policy_engine_config": { - "policy_path": "/opt/confidential-containers/opa/policy.rego" - } - } + kbs-config.toml: | + [http_server] + sockets = ["0.0.0.0:8080"] + insecure_http = true + + [admin] + insecure_api = true + auth_public_key = "/etc/auth-secret/kbs.pem" + + [attestation_token] + insecure_key = true + + [attestation_service] + type = "coco_as_grpc" + as_addr = "http://127.0.0.1:50004" + + [[plugins]] + name = "resource" + type = "LocalFs" + dir_path = "/opt/confidential-containers/kbs/repository" + + [policy_engine] + policy_path = "/opt/confidential-containers/opa/policy.rego" diff --git a/config/samples/microservices/kustomization.yaml b/config/samples/microservices/kustomization.yaml index b94102a..b386e6e 100644 --- a/config/samples/microservices/kustomization.yaml +++ b/config/samples/microservices/kustomization.yaml @@ -4,19 +4,19 @@ generatorOptions: disableNameSuffixHash: true # uncomment to generate secrets for kbs authorization -#secretGenerator: -#- name: kbs-auth-public-key -# files: -# - kbs.pem -#- name: kbs-client -# files: -# - privateKey +secretGenerator: +- name: kbs-auth-public-key + files: + - kbs.pem +- name: kbs-client + files: + - privateKey # uncomment the following lines for injecting sample resources in kbs -#- literals: -# - key1=res1val1 -# - key2=res1val2 -# name: kbsres1 +- literals: + - key1=res1val1 + - key2=res1val2 + name: kbsres1 patches: - path: patch-ref-values.yaml @@ -24,9 +24,9 @@ patches: - path: patch-resource-policy.yaml - path: patch-tdx-config.yaml # uncomment the following line for injecting sample resources in kbs -#- path: patch-kbs-resources.yaml +- path: patch-kbs-resources.yaml # uncomment the following line for enabling DEBUG logs -#- path: patch-env-vars.yaml +- path: patch-env-vars.yaml resources: - kbsconfig_sample.yaml diff --git a/config/samples/microservices/resource-policy.yaml b/config/samples/microservices/resource-policy.yaml index 72f6cfc..a43a95e 100644 --- a/config/samples/microservices/resource-policy.yaml +++ b/config/samples/microservices/resource-policy.yaml @@ -7,7 +7,4 @@ data: policy.rego: | package policy - default allow = false - allow { - input["tee"] != "sample" - } + default allow = true diff --git a/config/samples/microservices/rvps-config.yaml b/config/samples/microservices/rvps-config.yaml index cd2e512..df45746 100644 --- a/config/samples/microservices/rvps-config.yaml +++ b/config/samples/microservices/rvps-config.yaml @@ -7,6 +7,7 @@ data: rvps-config.json: | { "address": "0.0.0.0:50003", + "type": "BuiltIn", "store_type": "LocalJson", "store_config": { "file_path": "/opt/confidential-containers/rvps/reference-values/reference-values.json" diff --git a/internal/controller/kbsconfig_controller.go b/internal/controller/kbsconfig_controller.go index 36a2573..91c8aa6 100644 --- a/internal/controller/kbsconfig_controller.go +++ b/internal/controller/kbsconfig_controller.go @@ -610,7 +610,7 @@ func (r *KbsConfigReconciler) buildKbsContainer(volumeMounts []corev1.VolumeMoun command := []string{ "/usr/local/bin/kbs", "--config-file", - "/etc/kbs-config/kbs-config.json", + "/etc/kbs-config/kbs-config.toml", } return corev1.Container{ diff --git a/tests/e2e/sample-attester/03-kbs-config.yaml b/tests/e2e/sample-attester/03-kbs-config.yaml index 2578399..ccbc441 100644 --- a/tests/e2e/sample-attester/03-kbs-config.yaml +++ b/tests/e2e/sample-attester/03-kbs-config.yaml @@ -4,33 +4,41 @@ metadata: name: kbs-config namespace: trustee-operator-system data: - kbs-config.json: | - { - "insecure_http" : true, - "sockets": ["0.0.0.0:8080"], - "auth_public_key": "/etc/auth-secret/publicKey", - "attestation_token_config": { - "attestation_token_type": "CoCo" - }, - "repository_config": { - "type": "LocalFs", - "dir_path": "/opt/confidential-containers/kbs/repository" - }, - "as_config": { - "work_dir": "/opt/confidential-containers/attestation-service", - "policy_engine": "opa", - "attestation_token_broker": "Simple", - "attestation_token_config": { - "duration_min": 5 - }, - "rvps_config": { - "store_type": "LocalJson", - "store_config": { - "file_path": "/opt/confidential-containers/rvps/reference-values/reference-values.json" - } - } - }, - "policy_engine_config": { - "policy_path": "/opt/confidential-containers/opa/policy.rego" - } - } + kbs-config.toml: | + [http_server] + sockets = ["0.0.0.0:8080"] + insecure_http = true + + [admin] + insecure_api = true + auth_public_key = "/etc/auth-secret/publicKey" + + [attestation_token] + insecure_key = true + attestation_token_type = "CoCo" + + [attestation_service] + type = "coco_as_builtin" + work_dir = "/opt/confidential-containers/attestation-service" + policy_engine = "opa" + + [attestation_service.attestation_token_broker] + type = "Ear" + + [attestation_service.attestation_token_config] + duration_min = 5 + + [attestation_service.rvps_config] + type = "BuiltIn" + store_type = "LocalJson" + + [attestation_service.rvps_config.store_config] + file_path = "/opt/confidential-containers/rvps/reference-values/reference-values.json" + + [[plugins]] + name = "resource" + type = "LocalFs" + dir_path = "/opt/confidential-containers/kbs/repository" + + [policy_engine] + policy_path = "/opt/confidential-containers/opa/policy.rego"