liudalibj
commented
4 months ago - add attestation-policy configmap
- add sample attestation-policy and resource-policy for ibmse
- update ibmse document
Closed liudalibj closed 3 months ago
liudalibj
commented
4 months ago liudalibj
commented
4 months ago Built out a test CatalogSource.yaml for s390x.
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: trustee-operator-catalog
namespace: openshift-marketplace
spec:
displayName: Trustee Operator Catalog
sourceType: grpc
image: icr.io/ikswhp_multiarch/trustee-operator-catalog:v0.1.0
updateStrategy:
registryPoll:
interval: 5mConfiged and verified the PR on OCP cluster deploy on a lpar.
[root@bastion-ocp-cn kbs]# oc get deploy
NAME READY UP-TO-DATE AVAILABLE AGE
trustee-deployment 1/1 1 1 14m
trustee-operator-controller-manager 1/1 1 1 51m
[root@bastion-ocp-cn kbs]# oc describe deploy trustee-deployment
Name: trustee-deployment
Namespace: kbs-operator-system
CreationTimestamp: Thu, 01 Aug 2024 12:23:00 -0400
Labels: <none>
Annotations: deployment.kubernetes.io/revision: 2
Selector: app=kbs
Replicas: 1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 1 max unavailable, 25% max surge
Pod Template:
Labels: app=kbs
Containers:
kbs:
Image: icr.io/ikswhp_multiarch/kbs:e890fc90c384207668fa3a4d6a2f2a2d652797ee
Port: 8080/TCP
Host Port: 0/TCP
SeccompProfile: RuntimeDefault
Command:
/usr/local/bin/kbs
--config-file
/etc/kbs-config/kbs-config.json
Environment:
RUST_LOG: debug
SE_SKIP_CERTS_VERIFICATION: true
Mounts:
/etc/auth-secret from auth-secret (rw)
/etc/https-cert from https-cert (rw)
/etc/https-key from https-key (rw)
/etc/kbs-config from kbs-config (rw)
/opt/confidential-containers from confidential-containers (rw)
/opt/confidential-containers/attestation-service/opa from attestation-opa (rw)
/opt/confidential-containers/kbs/repository/default from default (rw)
/opt/confidential-containers/kbs/repository/default/kbsres1 from kbsres1 (rw)
/opt/confidential-containers/opa from opa (rw)
/opt/confidential-containers/rvps/reference-values from reference-values (rw)
/run/confidential-containers/ibmse/ from ibmse-pvc (rw)
Volumes:
confidential-containers:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium: Memory
SizeLimit: <unset>
default:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium: Memory
SizeLimit: <unset>
kbs-config:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: kbs-config
Optional: false
attestation-opa:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: ibmse-attestation-policy
Optional: false
opa:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: ibmse-resource-policy
Optional: false
ibmse-pvc:
Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
ClaimName: ibmse-pvc
ReadOnly: true
auth-secret:
Type: Secret (a volume populated by a Secret)
SecretName: kbs-auth-public-key
Optional: false
https-key:
Type: Secret (a volume populated by a Secret)
SecretName: kbs-https-key
Optional: false
https-cert:
Type: Secret (a volume populated by a Secret)
SecretName: kbs-https-certificate
Optional: false
kbsres1:
Type: Secret (a volume populated by a Secret)
SecretName: kbsres1
Optional: false
reference-values:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: rvps-reference-values
Optional: false
Conditions:
Type Status Reason
---- ------ ------
Available True MinimumReplicasAvailable
Progressing True NewReplicaSetAvailable
OldReplicaSets: trustee-deployment-855c56dc6 (0/0 replicas created)
NewReplicaSet: trustee-deployment-5cf95bb7d9 (1/1 replicas created)
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal ScalingReplicaSet 14m deployment-controller Scaled up replica set trustee-deployment-855c56dc6 to 1
Normal ScalingReplicaSet 10m deployment-controller Scaled up replica set trustee-deployment-5cf95bb7d9 to 1
Normal ScalingReplicaSet 10m deployment-controller Scaled down replica set trustee-deployment-855c56dc6 to 0 from 1
[root@bastion-ocp-cn kbs]#
[root@bastion-ocp-cn kbs]# oc logs trustee-deployment-5cf95bb7d9-fqk8p
[2024-08-01T16:27:24Z INFO kbs] Using config file /etc/kbs-config/kbs-config.json
[2024-08-01T16:27:24Z DEBUG kbs] Config: KbsConfig {
repository_config: Some(
LocalFs(
LocalFsRepoDesc {
dir_path: Some(
"/opt/confidential-containers/kbs/repository",
),
},
),
),
attestation_token_config: AttestationTokenVerifierConfig {
attestation_token_type: CoCo,
trusted_certs_paths: None,
},
as_config: Some(
Config {
work_dir: "/opt/confidential-containers/attestation-service",
policy_engine: "opa",
rvps_config: RvpsConfig {
remote_addr: "",
store_type: "LocalJson",
store_config: Object {
"file_path": String("/opt/confidential-containers/rvps/reference-values/reference-values.json"),
},
},
attestation_token_broker: Simple,
attestation_token_config: AttestationTokenConfig {
duration_min: 5,
issuer_name: "CoCo-Attestation-Service",
signer: None,
},
},
),
sockets: [
0.0.0.0:8080,
],
timeout: 5,
private_key: Some(
"/etc/https-key/https.key",
),
certificate: Some(
"/etc/https-cert/https.crt",
),
insecure_http: false,
auth_public_key: Some(
"/etc/auth-secret/publicKey",
),
insecure_api: false,
policy_engine_config: Some(
PolicyEngineConfig {
policy_path: Some(
"/opt/confidential-containers/opa/policy.rego",
),
},
),
}
[2024-08-01T16:27:24Z WARN attestation_service::rvps] No RVPS address provided and will launch a built-in rvps
[2024-08-01T16:27:24Z DEBUG reference_value_provider_service::store::local_json] create path for LocalJson: "/opt/confidential-containers/rvps/reference-values"
[2024-08-01T16:27:24Z INFO attestation_service::token::simple] No Token Signer key in config file, create an ephemeral key and without CA pubkey cert
[2024-08-01T16:27:25Z INFO kbs] Starting HTTPS server at [0.0.0.0:8080]
[2024-08-01T16:27:25Z INFO actix_server::builder] starting 4 workers
[2024-08-01T16:27:25Z INFO actix_server::server] Tokio runtime found; starting in existing Tokio runtime
...
[2024-08-01T16:27:37Z INFO actix_web::middleware::logger] 100.64.0.6 "GET /kbs/v0/resource/default/kbsres1/key1 HTTP/2.0" 401 173 "-" "attestation-agent-kbs-client/0.1.0" 0.000931
[2024-08-01T16:27:38Z INFO kbs::http::attest] Attest API called.
[2024-08-01T16:27:38Z DEBUG kbs::http::attest] Session ID ae6e8ae0234d4c96aa3a8ec08f3b235b
...
[2024-08-01T16:27:38Z DEBUG kbs::http::resource] Get pkey from session.
[2024-08-01T16:27:38Z INFO kbs::http::resource] Get resource from kbs:///default/kbsres1/key1
[2024-08-01T16:27:38Z INFO kbs::http::resource] Resource access request passes policy check.
[2024-08-01T16:27:38Z INFO actix_web::middleware::logger] 100.64.0.6 "GET /kbs/v0/resource/default/kbsres1/key1 HTTP/2.0" 200 498 "-" "attestation-agent-kbs-client/0.1.0" 0.011772@bpradipt @lmilleri would you like help to take a look on this PR, thanks.
liudalibj
commented
4 months ago FYI. @huoqifeng @savitrilh the trustee-operator update for ibmse
lmilleri
commented
4 months ago It looks good to me, thank you @liudalibj
liudalibj
commented
3 months ago @bpradipt would you like help to review this pr and help to merge it if there is no more comments, thanks!