Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve RVPS storage config #633

Merged
merged 4 commits into from
Dec 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 4 additions & 2 deletions attestation-service/config.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,12 @@
"work_dir": "/var/lib/attestation-service/",
"rvps_config": {
"type": "BuiltIn",
"store_type": "LocalFs"
"storage": {
"type": "LocalFs"
}
},
"attestation_token_broker": {
"type": "Simple",
"duration_min": 5
}
}
}
9 changes: 4 additions & 5 deletions attestation-service/docs/config.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,10 +74,9 @@ If `type` is set to `BuiltIn`, the following extra properties can be set

| Property | Type | Description | Required | Default |
|----------------|-------------------------|-----------------------------------------------------------------------|----------|----------|
| `store_type` | String | The underlying storage type of RVPS. (`LocalFs` or `LocalJson`) | No | `LocalFs`|
| `store_config` | JSON Map | The optional configurations to the underlying storage. | No | Null |
| `storage` | ReferenceValueStorageConfig | Configuration of storage for reference values (`LocalFs` or `LocalJson`) | No | `LocalFs`|

Different `store_type` will have different `store_config` items.
`ReferenceValueStorageConfig` can contain either a `LocalFs` configuration or a `LocalJson` configuration.

For `LocalFs`, the following properties can be set

Expand Down Expand Up @@ -110,8 +109,8 @@ Running with a built-in RVPS:
"policy_engine": "opa",
"rvps_config": {
"type": "BuiltIn",
"store_type": "LocalFs",
"store_config": {
"storage": {
"type": "LocalFs"
"file_path": "/var/lib/attestation-service/reference-values"
}
},
Expand Down
22 changes: 9 additions & 13 deletions attestation-service/src/config.rs
Original file line number Diff line number Diff line change
Expand Up @@ -58,9 +58,10 @@ impl TryFrom<&Path> for Config {
/// "work_dir": "/var/lib/attestation-service/",
/// "policy_engine": "opa",
/// "rvps_config": {
/// "store_type": "LocalFs",
/// "storage": {
/// "type": "LocalFs"
/// }
/// "store_config": {},
/// "remote_addr": ""
/// },
/// "attestation_token_broker": {
/// "type": "Ear",
Expand All @@ -76,24 +77,22 @@ impl TryFrom<&Path> for Config {

#[cfg(test)]
mod tests {
use std::path::PathBuf;

use rstest::rstest;
use serde_json::json;
use std::path::PathBuf;

use super::Config;
use crate::rvps::RvpsCrateConfig;
use crate::{
rvps::RvpsConfig,
token::{ear_broker, simple, AttestationTokenConfig},
};
use reference_value_provider_service::storage::{local_fs, ReferenceValueStorageConfig};

#[rstest]
#[case("./tests/configs/example1.json", Config {
work_dir: PathBuf::from("/var/lib/attestation-service/"),
rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig {
store_type: "LocalFs".into(),
store_config: json!({}),
storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config::default()),
}),
attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration {
duration_min: 5,
Expand All @@ -105,8 +104,7 @@ mod tests {
#[case("./tests/configs/example2.json", Config {
work_dir: PathBuf::from("/var/lib/attestation-service/"),
rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig {
store_type: "LocalFs".into(),
store_config: json!({}),
storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config::default()),
}),
attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration {
duration_min: 5,
Expand All @@ -122,8 +120,7 @@ mod tests {
#[case("./tests/configs/example3.json", Config {
work_dir: PathBuf::from("/var/lib/attestation-service/"),
rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig {
store_type: "LocalFs".into(),
store_config: json!({}),
storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config::default()),
}),
attestation_token_broker: AttestationTokenConfig::Ear(ear_broker::Configuration {
duration_min: 5,
Expand All @@ -138,8 +135,7 @@ mod tests {
#[case("./tests/configs/example4.json", Config {
work_dir: PathBuf::from("/var/lib/attestation-service/"),
rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig {
store_type: "LocalFs".into(),
store_config: json!({}),
storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config::default()),
}),
attestation_token_broker: AttestationTokenConfig::Ear(ear_broker::Configuration {
duration_min: 5,
Expand Down
5 changes: 3 additions & 2 deletions attestation-service/tests/configs/example1.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,9 @@
"work_dir": "/var/lib/attestation-service/",
"rvps_config": {
"type": "BuiltIn",
"store_type": "LocalFs",
"remote_addr": ""
"storage": {
"type": "LocalFs"
}
},
"attestation_token_broker": {
"type": "Simple",
Expand Down
5 changes: 3 additions & 2 deletions attestation-service/tests/configs/example2.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,9 @@
"work_dir": "/var/lib/attestation-service/",
"rvps_config": {
"type": "BuiltIn",
"store_type": "LocalFs",
"remote_addr": ""
"storage": {
"type": "LocalFs"
}
},
"attestation_token_broker": {
"type": "Simple",
Expand Down
5 changes: 3 additions & 2 deletions attestation-service/tests/configs/example3.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,9 @@
"work_dir": "/var/lib/attestation-service/",
"rvps_config": {
"type": "BuiltIn",
"store_type": "LocalFs",
"remote_addr": ""
"storage": {
"type": "LocalFs"
}
},
"attestation_token_broker": {
"type": "Ear",
Expand Down
5 changes: 3 additions & 2 deletions attestation-service/tests/configs/example4.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,9 @@
"work_dir": "/var/lib/attestation-service/",
"rvps_config": {
"type": "BuiltIn",
"store_type": "LocalFs",
"remote_addr": ""
"storage": {
"type": "LocalFs"
}
},
"attestation_token_broker": {
"type": "Ear",
Expand Down
10 changes: 6 additions & 4 deletions deps/verifier/src/se/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -103,17 +103,19 @@ insecure_http = true
[attestation_token]
insecure_key = true

[as_config]
[attestation_service]
work_dir = "/opt/confidential-containers/attestation-service"
policy_engine = "opa"

[as_config.attestation_token_broker]
[attestation_service.attestation_token_broker]
type = "Ear"
duration_min = 5

[as_config.rvps_config]
[attestation_service.rvps_config]
type = "BuiltIn"
store_type = "LocalFs"

[attestation_service.rvps_config]
type = "LocalFs"
```

- Launch the KBS program
Expand Down
5 changes: 5 additions & 0 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,11 @@ services:
volumes:
- ./kbs/data/reference-values:/opt/confidential-containers/attestation-service/reference_values:rw
- ./kbs/config/rvps.json:/etc/rvps.json:rw
command: [
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure other verifier, I think SE does have something related document here https://github.com/confidential-containers/trustee/blob/main/deps/verifier/src/se/README.md need be revised accordingly, maybe need a new PR to address this change in SE doc. CC @stevenhorsman @bpradipt

Copy link
Member

@stevenhorsman stevenhorsman Dec 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the notice - cc @gauravkuredhat

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh yeah I didn't update any of the docs. I will add a commit to do that

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

"rvps",
"--address",
"0.0.0.0:50003"
]

keyprovider:
image: ghcr.io/confidential-containers/coco-keyprovider:latest
Expand Down
2 changes: 2 additions & 0 deletions kbs/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -82,9 +82,11 @@ attestation-service = { path = "../attestation-service", default-features = fals
"se-verifier",
], optional = true }


[dev-dependencies]
tempfile.workspace = true
rstest.workspace = true
reference-value-provider-service.path = "../rvps"

[build-dependencies]
tonic-build = { workspace = true, optional = true }
1 change: 0 additions & 1 deletion kbs/config/kbs-config.toml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ duration_min = 5

[attestation_service.rvps_config]
type = "BuiltIn"
store_type = "LocalFs"

[policy_engine]
policy_path = "/opa/confidential-containers/kbs/policy.rego"
Expand Down
1 change: 0 additions & 1 deletion kbs/config/kubernetes/base/kbs-config.toml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ key_path = "/kbs/as-private-key.pem"

[attestation_service.rvps_config]
type = "BuiltIn"
store_type = "LocalFs"

[admin]
auth_public_key = "/kbs/kbs.pem"
Expand Down
9 changes: 4 additions & 5 deletions kbs/config/rvps.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
{
"address": "0.0.0.0:50003",
"store_type": "LocalFs",
"store_config": {
"file_path": "/opt/confidential-containers/attestation-service/reference_values"
"storage": {
"type":"LocalFs",
"file_path": "/opt/confidential-containers/attestation-service/reference_values"
}
}
}
9 changes: 5 additions & 4 deletions kbs/docs/config.md
Original file line number Diff line number Diff line change
Expand Up @@ -143,10 +143,9 @@ If `type` is set to `BuiltIn`, the following extra properties can be set

| Property | Type | Description | Required | Default |
|----------------|-------------------------|-----------------------------------------------------------------------|----------|----------|
| `store_type` | String | The underlying storage type of RVPS. (`LocalFs` or `LocalJson`) | No | `LocalFs`|
| `store_config` | JSON Map | The optional configurations to the underlying storage. | No | Null |
| `storage` | ReferenceValueStorageConfig | Configuration of the storage for reference values (`LocalFs` or `LocalJson`) | No | `LocalFs`|

Different `store_type` will have different `store_config` items.
A `ReferenceValueStorageConfig` can either be of type `LocalFs` or `LocalJson`

For `LocalFs`, the following properties can be set

Expand Down Expand Up @@ -276,7 +275,9 @@ policy_engine = "opa"

[attestation_service.rvps_config]
type = "BuiltIn"
store_type = "LocalFs"

[attestation_service.rvps_config.storage]
type = "LocalFs"

[[plugins]]
name = "resource"
Expand Down
4 changes: 3 additions & 1 deletion kbs/docs/self-signed-https.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,9 @@ policy_engine = "opa"

[attestation_service.rvps_config]
type = "BuiltIn"
store_type = "LocalFs"

[attestation_service.rvps_config.storage]
type = "LocalFs"

[[plugins]]
name = "resource"
Expand Down
15 changes: 7 additions & 8 deletions kbs/src/config.rs
Original file line number Diff line number Diff line change
Expand Up @@ -124,8 +124,9 @@ mod tests {
token::{simple, AttestationTokenConfig, COCO_AS_ISSUER_NAME, DEFAULT_TOKEN_DURATION},
};

use reference_value_provider_service::storage::{local_fs, ReferenceValueStorageConfig};

use rstest::rstest;
use serde_json::json;

#[rstest]
#[case("test_data/configs/coco-as-grpc-1.toml", KbsConfig {
Expand Down Expand Up @@ -293,9 +294,10 @@ mod tests {
crate::attestation::config::AttestationServiceConfig::CoCoASBuiltIn(
attestation_service::config::Config {
work_dir: "/opt/confidential-containers/attestation-service".into(),
rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig {
store_type: "LocalFs".into(),
store_config: json!({}),
rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig{
storage: ReferenceValueStorageConfig::LocalFs(local_fs::Config{
file_path: "/opt/confidential-containers/attestation-service/reference_values".into(),
}),
}),
attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration{
duration_min: 5,
Expand Down Expand Up @@ -423,10 +425,7 @@ mod tests {
crate::attestation::config::AttestationServiceConfig::CoCoASBuiltIn(
attestation_service::config::Config {
work_dir: "/opt/confidential-containers/attestation-service".into(),
rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig {
store_type: "LocalFs".into(),
..Default::default()
}),
rvps_config: RvpsConfig::BuiltIn(RvpsCrateConfig::default()),
attestation_token_broker: AttestationTokenConfig::Simple(simple::Configuration {
duration_min: 5,
policy_dir: "/opt/confidential-containers/attestation-service/simple-policies".into(),
Expand Down
1 change: 0 additions & 1 deletion kbs/test/config/kbs.toml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ cert_path = "./work/token-cert-chain.pem"

[attestation_service.rvps_config]
type = "BuiltIn"
store_type = "LocalFs"

[policy_engine]
policy_path = "./work/kbs-policy.rego"
Expand Down
4 changes: 3 additions & 1 deletion kbs/test_data/configs/coco-as-builtin-2.toml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,9 @@ duration_min = 5

[attestation_service.rvps_config]
type = "BuiltIn"
store_type = "LocalFs"

[attestation_service.rvps_config.storage]
type = "LocalFs"

[admin]
auth_public_key = "/kbs/kbs.pem"
Expand Down
4 changes: 3 additions & 1 deletion kbs/test_data/configs/coco-as-builtin-3.toml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,9 @@ policy_dir = "/opt/confidential-containers/attestation-service/simple-policies"

[attestation_service.rvps_config]
type = "BuiltIn"
store_type = "LocalFs"

[attestation_service.rvps_config.storage]
type = "LocalFs"

[policy_engine]
policy_path = "/opa/confidential-containers/kbs/policy.rego"
Expand Down
10 changes: 4 additions & 6 deletions rvps/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -77,22 +77,20 @@ cd .. && docker build -t rvps -f rvps/docker/Dockerfile .

Run
```bash
docker run -d -p 50003:50003 rvps
docker run -d -p 50003:50003 rvps --address 0.0.0.0:50003
```

### Configuration file

RVPS can be launched with a specified configuration file by `-c` flag. A configuration file looks lile
```json
{
"address": "0.0.0.0:50003",
"store_type": "LocalFs",
"store_config": {
"storage": {
"type": "LocalFs",
"file_path": "/opt/confidential-containers/attestation-service/reference_values"
}
}
```
- `address`: socket listening to requests.
- `store_type`: backend storage type to store reference values. Currently `LocalFs` and `LocalJson` are supported.
- `store_config`: optional extra parameters for different kinds of `store_type`. This is also a JSON map object. The concrete content is different due to different `store_type`.

Expand Down Expand Up @@ -126,7 +124,7 @@ A client tool helps to perform as a client to rvps. It can
Run RVPS in docker or the following commands
```bash
RVPS_ADDR=127.0.0.1:50003
rvps --socket $RVPS_ADDR
rvps --address $RVPS_ADDR
```

Edit an test message in [sample format](./src/extractors/extractor_modules/sample/README.md)
Expand Down
Loading
Loading