RVPS reference values provided via K8s configmap

This configuration applies when the json storage backend is chosen

Signed-off-by: Leonardo Milleri <[email protected]>

README.md

@@ -1,6 +1,6 @@
 # kbs-operator
 
-The `kbs-operator` manages the lifecycle of `kbs` along with it's configuration when deployed
+The `kbs-operator` manages the lifecycle of [trustee](https://github.com/confidential-containers/trustee) along with it's configuration when deployed
 in a Kubernetes cluster
 
 ## Description
@@ -20,6 +20,9 @@ type KbsConfigSpec struct {
   // KbsRvpsConfigMapName is the name of the configmap that contains the KBS RVPS configuration
   KbsRvpsConfigMapName string `json:"kbsRvpsConfigMapName,omitempty"`
 
+  // kbsRvpsRefValuesConfigMapName is the name of the configmap that contains the RVPS reference values
+  KbsRvpsRefValuesConfigMapName string `json:"kbsRvpsRefValuesConfigMapName,omitempty"`
+
   // KbsAuthSecretName is the name of the secret that contains the KBS auth secret
   KbsAuthSecretName string `json:"kbsAuthSecretName,omitempty"`
 
@@ -89,7 +92,6 @@ data:
     {
         "work_dir": "/opt/confidential-containers/attestation-service",
         "policy_engine": "opa",
-        "rvps_store_type": "LocalFs",
         "rvps_config": {
            "remote_addr":"http://127.0.0.1:50003"
         },
@@ -112,14 +114,25 @@ metadata:
   name: kbsconfig-sample
   namespace: kbs-operator-system
 spec:
+  # KBS configuration
   kbsConfigMapName: kbs-config
+  # AS configuration
   kbsAsConfigMapName: as-config  
+  # RVPS configuration
+  kbsRvpsConfigMapName: rvps-config-grpc
+  # reference values config map
+  kbsRvpsReferenceValuesMapName: rvps-reference-values
+  # authentication secret
   kbsAuthSecretName: kbs-auth-public-key
+  # service type
   kbsServiceType: ClusterIP
+  # deployment type
   kbsDeploymentType: MicroservicesDeployment
   # HTTPS support
   kbsHttpsKeySecretName: kbs-https-key
   kbsHttpsCertSecretName: kbs-https-certificate
+  # K8s Secrets to be made available to KBS clients
+  kbsSecretResources: ["kbsres1"]
 ```
 
 Another sample `KbsConfig` with secret resources:
@@ -180,38 +193,20 @@ You’ll need a Kubernetes cluster to run against. You can use [KIND](https://si
   make deploy IMG=${REGISTRY}/kbs-operator:latest
   ```
 
-- Create KBS auth secret.
+- Deployment of CRDs, ConfigMaps and Secrets
 
+  This is an example. Change it to real values as per your requirements.
   ```sh
+  cd config/samples/microservices
+  # or config/samples/all-in-one for the integrated mode
+
+  # create authentication keys
   openssl genpkey -algorithm ed25519 > kbs.key
   openssl pkey -in kbs.key -pubout -out kbs.pem
-
-  kubectl create secret generic kbs-auth-public-key --from-file=kbs.pem -n kbs-operator-system
-  ```
-
-- Create the KBS and AS configmaps.
-
-  ```sh
-  kubectl apply -f config/samples/microservices/kbs-config.yaml
-  kubectl apply -f config/samples/microservices/as-config.yaml
-  ```
-
-- Create the K8s secrets
-
-  This is an example. Change it to real values as per your requirements.
-  Also remember to update the `kbsSecretResources` attribute in the `KbsConfig`
-  CRD with the correct secret name.
   
-  ```sh
-  kubectl create secret generic kbsres1 --from-literal key1=res1val1 --from-literal key2=res1val2 -n kbs-operator-system
-  ```
-
-- Create Custom Resource.
-
-  ```sh
-  kubectl apply -f config/samples/microservices/kbsconfig_sample.yaml
-  ```
-
+  # create all the needed resources
+  kubectl apply -k .
+  
 ### Uninstall CRDs
 
 To delete the CRDs from the cluster:

api/v1alpha1/kbsconfig_types.go

@@ -50,6 +50,9 @@ type KbsConfigSpec struct {
 	// KbsRvpsConfigMapName is the name of the configmap that contains the KBS RVPS configuration
 	KbsRvpsConfigMapName string `json:"kbsRvpsConfigMapName,omitempty"`
 
+	// kbsRvpsRefValuesConfigMapName is the name of the configmap that contains the RVPS reference values
+	KbsRvpsRefValuesConfigMapName string `json:"kbsRvpsRefValuesConfigMapName,omitempty"`
+
 	// KbsAuthSecretName is the name of the secret that contains the KBS auth secret
 	KbsAuthSecretName string `json:"kbsAuthSecretName,omitempty"`
 

config/crd/bases/confidentialcontainers.org_kbsconfigs.yaml

@@ -65,6 +65,10 @@ spec:
                 description: KbsRvpsConfigMapName is the name of the configmap that
                   contains the KBS RVPS configuration
                 type: string
+              kbsRvpsRefValuesConfigMapName:
+                description: kbsRvpsRefValuesConfigMapName is the name of the configmap
+                  that contains the RVPS reference values
+                type: string
               kbsSecretResources:
                 description: KbsSecretResources is an array of secret names that contain
                   the keys required by clients

config/manager/manager.yaml

@@ -82,13 +82,15 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        # KBS_IMAGE_NAME
         - name: KBS_IMAGE_NAME
-          value: ghcr.io/confidential-containers/key-broker-service:latest
+          # kbs image for AllInOneDeployment
+          # value: ghcr.io/confidential-containers/staged-images/kbs:latest
+          # kbs image for MicroserviceDeployment
+          value: ghcr.io/confidential-containers/staged-images/kbs-grpc-as:latest
         - name: AS_IMAGE_NAME
-          value: ghcr.io/confidential-containers/attestation-service:latest
+          value: ghcr.io/confidential-containers/staged-images/coco-as-grpc:latest
         - name: RVPS_IMAGE_NAME
-          value: ghcr.io/confidential-containers/reference-value-provider-service:latest
+          value: ghcr.io/confidential-containers/staged-images/rvps:latest
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:

config/samples/all-in-one/kbs-config.yaml

@@ -19,14 +19,15 @@ data:
         "as_config": {
           "work_dir": "/opt/confidential-containers/attestation-service",
           "policy_engine": "opa",
-          "rvps_store_type": "LocalFs",
           "attestation_token_broker": "Simple",
           "attestation_token_config": {
             "duration_min": 5
           },
           "rvps_config": {
-            "store_type": "LocalFs",
-            "remote_addr": ""
+            "store_type": "LocalJson",
+            "store_config": {
+              "file_path": "/opt/confidential-containers/rvps/reference-values/reference-values.json"
+            }
           }
         },
         "policy_engine_config": {

config/samples/all-in-one/kbsconfig_sample.yaml

@@ -13,4 +13,5 @@ spec:
   kbsConfigMapName: kbs-config
   kbsAuthSecretName: kbs-auth-public-key
   kbsDeploymentType: AllInOneDeployment
-  kbsSecretResources: []
+  kbsRvpsRefValuesConfigMapName: rvps-reference-values
+  #kbsSecretResources: ["kbsres1"]

config/samples/all-in-one/kustomization.yaml

@@ -1,5 +1,18 @@
 ## Append samples you want in your CSV to this file as resources ##
+generatorOptions:
+ disableNameSuffixHash: true
+
+secretGenerator:
+- name: kbs-auth-public-key
+  files:
+  - kbs.pem
+#- name: kbsres1
+#  literals:
+#  - key1=res1val1
+#  - key2=res1val2
+
 resources:
 - kbsconfig_sample.yaml
 - kbs-config.yaml
+- rvps-reference-values.yaml
 #+kubebuilder:scaffold:manifestskustomizesamples

config/samples/all-in-one/rvps-reference-values.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rvps-reference-values
+  namespace: kbs-operator-system
+data:
+  reference-values.json: |
+    [
+      {
+        "name": "sample.svn",
+        "expired": "2025-01-01T00:00:00Z",
+        "hash-value": [
+          {
+            "alg": "sha256",
+            "value": "1"
+          }
+        ]
+      }
+    ]

config/samples/microservices/as-config.yaml

@@ -8,7 +8,6 @@ data:
     {
         "work_dir": "/opt/confidential-containers/attestation-service",
         "policy_engine": "opa",
-        "rvps_store_type": "LocalFs",
         "rvps_config": {
             "remote_addr":"http://127.0.0.1:50003"
         },

config/samples/microservices/kbsconfig_sample.yaml

@@ -12,6 +12,8 @@ metadata:
 spec:
   kbsConfigMapName: kbs-config-grpc
   kbsAsConfigMapName: as-config-grpc
+  kbsRvpsConfigMapName: rvps-config-grpc
+  kbsRvpsRefValuesConfigMapName: rvps-reference-values
   kbsAuthSecretName: kbs-auth-public-key
   kbsServiceType: ClusterIP
   #kbsServiceType: NodePort
@@ -20,4 +22,4 @@ spec:
   kbsDeploymentType: MicroservicesDeployment
   #kbsHttpsKeySecretName: kbs-https-key
   #kbsHttpsCertSecretName: kbs-https-certificate
-  kbsSecretResources: []
+  #kbsSecretResources: ["kbsres1"]

config/samples/microservices/kustomization.yaml

@@ -1,6 +1,20 @@
 ## Append samples you want in your CSV to this file as resources ##
+generatorOptions:
+ disableNameSuffixHash: true
+
+secretGenerator:
+- name: kbs-auth-public-key
+  files:
+  - kbs.pem
+#- name: kbsres1
+#  literals:
+#  - key1=res1val1
+#  - key2=res1val2
+
 resources:
 - kbsconfig_sample.yaml
 - kbs-config.yaml
 - as-config.yaml
+- rvps-config.yaml
+- rvps-reference-values.yaml
 #+kubebuilder:scaffold:manifestskustomizesamples

config/samples/microservices/rvps-config.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rvps-config-grpc
+  namespace: kbs-operator-system
+data:
+  rvps-config.json: |
+    {
+      "address": "0.0.0.0:50003",
+      "store_type": "LocalJson",
+      "store_config": {
+        "file_path": "/opt/confidential-containers/rvps/reference-values/reference-values.json"
+      }
+    }

config/samples/microservices/rvps-reference-values.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rvps-reference-values
+  namespace: kbs-operator-system
+data:
+  reference-values.json: |
+    [
+      {
+        "name": "sample.svn",
+        "expired": "2025-01-01T00:00:00Z",
+        "hash-value": [
+          {
+            "alg": "sha256",
+            "value": "1"
+          }
+        ]
+      }
+    ]

controllers/common.go

@@ -50,6 +50,9 @@ const (
 
 	// Default RVPS config path
 	rvpsDefaultConfigPath = "/etc"
+
+	// Default RVPS reference values Path
+	rvpsReferenceValuesPath = "/opt/confidential-containers/rvps"
 )
 
 func contains(list []string, s string) bool {