Skip to content

Commit

Permalink
config: Update config docs and files
Browse files Browse the repository at this point in the history
Due to EAR PR (#516), now the policy engine related configurations are
moved to attestation_token_broker part. Thus the original
`attestation_service.policy_engine` does not work anymore.

Also update the configuration file document to align with the latest
configuration items.

Signed-off-by: Xynnn007 <[email protected]>
  • Loading branch information
Xynnn007 committed Nov 29, 2024
1 parent 50b72e6 commit 160817d
Show file tree
Hide file tree
Showing 6 changed files with 46 additions and 14 deletions.
24 changes: 21 additions & 3 deletions attestation-service/docs/config.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,20 +16,38 @@ section:
| Property | Type | Description | Required | Default |
|----------------------------|-----------------------------|-----------------------------------------------------|----------|---------|
| `work_dir` | String | The location for Attestation Service to store data. | False | Firstly try to read from ENV `AS_WORK_DIR`. If not any, use `/opt/confidential-containers/attestation-service` |
| `policy_engine` | String | Policy engine type. Valid values: `opa` | False | `opa` |
| `rvps_config` | [RVPSConfiguration][2] | RVPS configuration | False | - |
| `attestation_token_broker` | [AttestationTokeBroker][1] | Attestation result token configuration. | False | - |

[1]: #attestationtokenconfig
[1]: #attestationtokenbroker
[2]: #rvps-configuration

#### AttestationTokenBroker

| Property | Type | Description | Required | Default |
|----------------|-------------------------|------------------------------------------------------|----------|---------|
| `type` | String | Type of token to issue (Ear or Simple) | No | `Ear` |
| `type` | String | Type of token to issue (`Ear` or `Simple`) | No | `Ear` |

When `type` field is set to `Ear`, the following extra properties can be set:

| Property | Type | Description | Required | Default |
|----------------|-------------------------|------------------------------------------------------|----------|---------|
| `duration_min` | Integer | Duration of the attestation result token in minutes. | No | `5` |
| `issuer_name` | String | Issure name of the attestation result token. | No |`CoCo-Attestation-Service`|
| `developer_name` | String | The developer name to be used as part of the Verifier ID in the EAR | No |`https://confidentialcontainers.org`|
| `build_name` | String | The build name to be used as part of the Verifier ID in the EAR | No | Automatically generated from Cargo package and AS version|
| `profile_name` | String | The Profile that describes the EAR token | No |tag:github.com,2024:confidential-containers/Trustee`|
| `policy_dir` | String | The path to the work directory that contains policies to provision the tokens. | No |`/opt/confidential-containers/attestation-service/token/ear/policies`|
| `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | No | None |

[1]: #tokensignerconfig

When `type` field is set to `Simple`, the following extra properties can be set:
| Property | Type | Description | Required | Default |
|----------------|-------------------------|------------------------------------------------------|----------|---------|
| `duration_min` | Integer | Duration of the attestation result token in minutes. | No | `5` |
| `issuer_name` | String | Issure name of the attestation result token. | No |`CoCo-Attestation-Service`|
| `policy_dir` | String | The path to the work directory that contains policies to provision the tokens. | No |`/opt/confidential-containers/attestation-service/token//simple/policies`|
| `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | No | None |

[1]: #tokensignerconfig
Expand Down
1 change: 0 additions & 1 deletion kbs/config/kubernetes/base/kbs-config.toml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ insecure_key = true
[attestation_service]
type = "coco_as_builtin"
work_dir = "/opt/confidential-containers/attestation-service"
policy_engine = "opa"

[attestation_service.attestation_token_broker]
type = "Ear"
Expand Down
32 changes: 25 additions & 7 deletions kbs/docs/config.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,18 +88,36 @@ When `type` is set to `coco_as_builtin`, the following properties can be set.
| `rvps_config` | [RVPSConfiguration][2] | RVPS configuration | See [RVPSConfiguration][2] |
| `attestation_token_broker` | [AttestationTokenConfig][1] | Attestation result token configuration. | See [AttestationTokenConfig][1] |

[1]: #attestationtokenconfig
[1]: #attestationtokenbroker
[2]: #rvps-configuration


##### AttestationTokenBroker

| Property | Type | Description | Default |
|----------------|-------------------------|------------------------------------------------------|----------|
| `type` | String | Type of token to generate (Ear or simple) | Ear |
| `duration_min` | Integer | Duration of the attestation result token in minutes. | 5 |
| `issuer_name` | String | Issure name of the attestation result token. | `CoCo-Attestation-Service` |
| `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | None |
| Property | Type | Description | Required | Default |
|----------------|-------------------------|------------------------------------------------------|----------|---------|
| `type` | String | Type of token to issue (`Ear` or `Simple`) | No | `Ear` |

When `type` field is set to `Ear`, the following extra properties can be set:
| Property | Type | Description | Required | Default |
|----------------|-------------------------|------------------------------------------------------|----------|---------|
| `duration_min` | Integer | Duration of the attestation result token in minutes. | No | `5` |
| `issuer_name` | String | Issure name of the attestation result token. | No |`CoCo-Attestation-Service`|
| `developer_name` | String | The developer name to be used as part of the Verifier ID in the EAR | No |`https://confidentialcontainers.org`|
| `build_name` | String | The build name to be used as part of the Verifier ID in the EAR | No | Automatically generated from Cargo package and AS version|
| `profile_name` | String | The Profile that describes the EAR token | No |tag:github.com,2024:confidential-containers/Trustee`|
| `policy_dir` | String | The path to the work directory that contains policies to provision the tokens. | No |`/opt/confidential-containers/attestation-service/token/ear/policies`|
| `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | No | None |

[1]: #tokensignerconfig

When `type` field is set to `Simple`, the following extra properties can be set:
| Property | Type | Description | Required | Default |
|----------------|-------------------------|------------------------------------------------------|----------|---------|
| `duration_min` | Integer | Duration of the attestation result token in minutes. | No | `5` |
| `issuer_name` | String | Issure name of the attestation result token. | No |`CoCo-Attestation-Service`|
| `policy_dir` | String | The path to the work directory that contains policies to provision the tokens. | No |`/opt/confidential-containers/attestation-service/token//simple/policies`|
| `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | No | None |

[1]: #tokensignerconfig

Expand Down
1 change: 0 additions & 1 deletion kbs/test_data/configs/coco-as-builtin-1.toml
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
[attestation_service]
type = "coco_as_builtin"
work_dir = "/opt/coco/attestation-service"
policy_engine = "opa"
timeout = 5

[attestation_service.attestation_token_broker]
Expand Down
1 change: 0 additions & 1 deletion kbs/test_data/configs/coco-as-builtin-2.toml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ insecure_http = true
[attestation_service]
type = "coco_as_builtin"
work_dir = "/opt/confidential-containers/attestation-service"
policy_engine = "opa"
timeout = 5

[attestation_service.attestation_token_broker]
Expand Down
1 change: 0 additions & 1 deletion kbs/test_data/configs/coco-as-builtin-3.toml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ insecure_key = false
[attestation_service]
type = "coco_as_builtin"
work_dir = "/opt/confidential-containers/attestation-service"
policy_engine = "opa"
timeout = 5

[attestation_service.attestation_token_broker]
Expand Down

0 comments on commit 160817d

Please sign in to comment.