diff --git a/attestation-service/docs/config.md b/attestation-service/docs/config.md index ee16b3c93..855e5710d 100644 --- a/attestation-service/docs/config.md +++ b/attestation-service/docs/config.md @@ -16,20 +16,38 @@ section: | Property | Type | Description | Required | Default | |----------------------------|-----------------------------|-----------------------------------------------------|----------|---------| | `work_dir` | String | The location for Attestation Service to store data. | False | Firstly try to read from ENV `AS_WORK_DIR`. If not any, use `/opt/confidential-containers/attestation-service` | -| `policy_engine` | String | Policy engine type. Valid values: `opa` | False | `opa` | | `rvps_config` | [RVPSConfiguration][2] | RVPS configuration | False | - | | `attestation_token_broker` | [AttestationTokeBroker][1] | Attestation result token configuration. | False | - | -[1]: #attestationtokenconfig +[1]: #attestationtokenbroker [2]: #rvps-configuration #### AttestationTokenBroker | Property | Type | Description | Required | Default | |----------------|-------------------------|------------------------------------------------------|----------|---------| -| `type` | String | Type of token to issue (Ear or Simple) | No | `Ear` | +| `type` | String | Type of token to issue (`Ear` or `Simple`) | No | `Ear` | + +When `type` field is set to `Ear`, the following extra properties can be set: + +| Property | Type | Description | Required | Default | +|----------------|-------------------------|------------------------------------------------------|----------|---------| +| `duration_min` | Integer | Duration of the attestation result token in minutes. | No | `5` | +| `issuer_name` | String | Issure name of the attestation result token. | No |`CoCo-Attestation-Service`| +| `developer_name` | String | The developer name to be used as part of the Verifier ID in the EAR | No |`https://confidentialcontainers.org`| +| `build_name` | String | The build name to be used as part of the Verifier ID in the EAR | No | Automatically generated from Cargo package and AS version| +| `profile_name` | String | The Profile that describes the EAR token | No |tag:github.com,2024:confidential-containers/Trustee`| +| `policy_dir` | String | The path to the work directory that contains policies to provision the tokens. | No |`/opt/confidential-containers/attestation-service/token/ear/policies`| +| `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | No | None | + +[1]: #tokensignerconfig + +When `type` field is set to `Simple`, the following extra properties can be set: +| Property | Type | Description | Required | Default | +|----------------|-------------------------|------------------------------------------------------|----------|---------| | `duration_min` | Integer | Duration of the attestation result token in minutes. | No | `5` | | `issuer_name` | String | Issure name of the attestation result token. | No |`CoCo-Attestation-Service`| +| `policy_dir` | String | The path to the work directory that contains policies to provision the tokens. | No |`/opt/confidential-containers/attestation-service/token//simple/policies`| | `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | No | None | [1]: #tokensignerconfig diff --git a/kbs/config/kubernetes/base/kbs-config.toml b/kbs/config/kubernetes/base/kbs-config.toml index 9aaaefca9..dbad9b055 100644 --- a/kbs/config/kubernetes/base/kbs-config.toml +++ b/kbs/config/kubernetes/base/kbs-config.toml @@ -10,7 +10,6 @@ insecure_key = true [attestation_service] type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" -policy_engine = "opa" [attestation_service.attestation_token_broker] type = "Ear" diff --git a/kbs/docs/config.md b/kbs/docs/config.md index 57b77d41e..a6b9348b8 100644 --- a/kbs/docs/config.md +++ b/kbs/docs/config.md @@ -88,18 +88,36 @@ When `type` is set to `coco_as_builtin`, the following properties can be set. | `rvps_config` | [RVPSConfiguration][2] | RVPS configuration | See [RVPSConfiguration][2] | | `attestation_token_broker` | [AttestationTokenConfig][1] | Attestation result token configuration. | See [AttestationTokenConfig][1] | -[1]: #attestationtokenconfig +[1]: #attestationtokenbroker [2]: #rvps-configuration ##### AttestationTokenBroker -| Property | Type | Description | Default | -|----------------|-------------------------|------------------------------------------------------|----------| -| `type` | String | Type of token to generate (Ear or simple) | Ear | -| `duration_min` | Integer | Duration of the attestation result token in minutes. | 5 | -| `issuer_name` | String | Issure name of the attestation result token. | `CoCo-Attestation-Service` | -| `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | None | +| Property | Type | Description | Required | Default | +|----------------|-------------------------|------------------------------------------------------|----------|---------| +| `type` | String | Type of token to issue (`Ear` or `Simple`) | No | `Ear` | + +When `type` field is set to `Ear`, the following extra properties can be set: +| Property | Type | Description | Required | Default | +|----------------|-------------------------|------------------------------------------------------|----------|---------| +| `duration_min` | Integer | Duration of the attestation result token in minutes. | No | `5` | +| `issuer_name` | String | Issure name of the attestation result token. | No |`CoCo-Attestation-Service`| +| `developer_name` | String | The developer name to be used as part of the Verifier ID in the EAR | No |`https://confidentialcontainers.org`| +| `build_name` | String | The build name to be used as part of the Verifier ID in the EAR | No | Automatically generated from Cargo package and AS version| +| `profile_name` | String | The Profile that describes the EAR token | No |tag:github.com,2024:confidential-containers/Trustee`| +| `policy_dir` | String | The path to the work directory that contains policies to provision the tokens. | No |`/opt/confidential-containers/attestation-service/token/ear/policies`| +| `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | No | None | + +[1]: #tokensignerconfig + +When `type` field is set to `Simple`, the following extra properties can be set: +| Property | Type | Description | Required | Default | +|----------------|-------------------------|------------------------------------------------------|----------|---------| +| `duration_min` | Integer | Duration of the attestation result token in minutes. | No | `5` | +| `issuer_name` | String | Issure name of the attestation result token. | No |`CoCo-Attestation-Service`| +| `policy_dir` | String | The path to the work directory that contains policies to provision the tokens. | No |`/opt/confidential-containers/attestation-service/token//simple/policies`| +| `signer` | [TokenSignerConfig][1] | Signing material of the attestation result token. | No | None | [1]: #tokensignerconfig diff --git a/kbs/test_data/configs/coco-as-builtin-1.toml b/kbs/test_data/configs/coco-as-builtin-1.toml index 45b4e46ae..b57fb5576 100644 --- a/kbs/test_data/configs/coco-as-builtin-1.toml +++ b/kbs/test_data/configs/coco-as-builtin-1.toml @@ -1,7 +1,6 @@ [attestation_service] type = "coco_as_builtin" work_dir = "/opt/coco/attestation-service" -policy_engine = "opa" timeout = 5 [attestation_service.attestation_token_broker] diff --git a/kbs/test_data/configs/coco-as-builtin-2.toml b/kbs/test_data/configs/coco-as-builtin-2.toml index 18385d64f..070b6190b 100644 --- a/kbs/test_data/configs/coco-as-builtin-2.toml +++ b/kbs/test_data/configs/coco-as-builtin-2.toml @@ -9,7 +9,6 @@ insecure_http = true [attestation_service] type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" -policy_engine = "opa" timeout = 5 [attestation_service.attestation_token_broker] diff --git a/kbs/test_data/configs/coco-as-builtin-3.toml b/kbs/test_data/configs/coco-as-builtin-3.toml index edda5a3d3..f42049d6e 100644 --- a/kbs/test_data/configs/coco-as-builtin-3.toml +++ b/kbs/test_data/configs/coco-as-builtin-3.toml @@ -7,7 +7,6 @@ insecure_key = false [attestation_service] type = "coco_as_builtin" work_dir = "/opt/confidential-containers/attestation-service" -policy_engine = "opa" timeout = 5 [attestation_service.attestation_token_broker]