However, there isn't code of cloud-api-adaptor to handle the kbs cert. There is no way to pass the parameter to configuration files of cdh and attestation agent.
This issue aims to handle the parameter of kbs cert in cloud-api-adaptor and pass the parameters to cdh and attestation-agent.
This is also in the scope of a future "SetInitData" API call in kata-agent to propagate config files (there is no user-data/config-drive for bare-metal or nested CVMs)
AA + CDH config file should be measured and the measurement included in the attestation evidence, since they are injected into the CVM from an untrusted source.
The configuration is configured global per CAA installation, while the SetInitData approach only applies to a single pod
agent::SetPolicy (which is supposed to be a superseded by agent::SetInitData) is already used to propagate files to the CVMs, albeit we don't measure the policy files, atm
Currently, we can only access kbs from pod with http connection.
CDH of guest component has example and code logic to handle kbs cert. https://github.com/confidential-containers/guest-components/blob/main/confidential-data-hub/example.config.toml#L19
Attestation-agent of guest component has the similar definition.
However, there isn't code of cloud-api-adaptor to handle the kbs cert. There is no way to pass the parameter to configuration files of cdh and attestation agent.
This issue aims to handle the parameter of kbs cert in cloud-api-adaptor and pass the parameters to cdh and attestation-agent.