From 04ba30700efb2dd032ffc0c4a829871e85b6ca7d Mon Sep 17 00:00:00 2001 From: David Hadas Date: Fri, 27 Sep 2024 06:28:07 -0500 Subject: [PATCH] APF: Rename KataAgentNamespace KataAgentNamespace parameter is controlling the namespace in which the pod runs (not the namespace in which the Kata Agent runs) To make the code readable, it is renamed to PodNamespace Signed-off-by: David Hadas --- .../cmd/agent-protocol-forwarder/main.go | 10 +++++----- src/cloud-api-adaptor/docs/SecureComms.md | 2 +- src/cloud-api-adaptor/pkg/forwarder/forwarder.go | 2 +- .../systemd/system/agent-protocol-forwarder.service | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/cloud-api-adaptor/cmd/agent-protocol-forwarder/main.go b/src/cloud-api-adaptor/cmd/agent-protocol-forwarder/main.go index fe2d2fa17..47178c7b8 100644 --- a/src/cloud-api-adaptor/cmd/agent-protocol-forwarder/main.go +++ b/src/cloud-api-adaptor/cmd/agent-protocol-forwarder/main.go @@ -37,7 +37,7 @@ type Config struct { configPath string listenAddr string kataAgentSocketPath string - kataAgentNamespace string + podNamespace string HostInterface string } @@ -71,7 +71,7 @@ func (cfg *Config) Setup() (cmd.Starter, error) { flags.StringVar(&cfg.configPath, "config", daemon.DefaultConfigPath, "Path to a daemon config file") flags.StringVar(&cfg.listenAddr, "listen", daemon.DefaultListenAddr, "Listen address") flags.StringVar(&cfg.kataAgentSocketPath, "kata-agent-socket", daemon.DefaultKataAgentSocketPath, "Path to a kata agent socket") - flags.StringVar(&cfg.kataAgentNamespace, "kata-agent-namespace", daemon.DefaultKataAgentNamespace, "Path to the network namespace where kata agent runs") + flags.StringVar(&cfg.podNamespace, "pod-namespace", daemon.DefaultPodNamespace, "Path to the network namespace where the pod runs") flags.StringVar(&cfg.HostInterface, "host-interface", "", "network interface name that is used for network tunnel traffic") flags.StringVar(&tlsConfig.CAFile, "ca-cert-file", "", "CA cert file") flags.StringVar(&tlsConfig.CertFile, "cert-file", "", "cert file") @@ -110,7 +110,7 @@ func (cfg *Config) Setup() (cmd.Starter, error) { // To obtain secrets from KBS, we approach the api-server-rest service which then approaches the CDH asking for a secret resource // the CDH than contact the KBS (possibly after approaching Attestation Agent for a token) and the KBS serves the requested key // The communication between the CDH (and Attestation Agent) and the KBS is performed via an SSH tunnel named "KBS" - apic := apic.NewApiClient(API_SERVER_REST_PORT, cfg.kataAgentNamespace) + apic := apic.NewApiClient(API_SERVER_REST_PORT, cfg.podNamespace) services = append(services, ppssh.NewSshServer(inbounds, outbounds, ppssh.GetSecret(apic.GetKey), sshutil.SSHPORT)) } else { if !disableTLS { @@ -118,9 +118,9 @@ func (cfg *Config) Setup() (cmd.Starter, error) { } } - interceptor := interceptor.NewInterceptor(cfg.kataAgentSocketPath, cfg.kataAgentNamespace) + interceptor := interceptor.NewInterceptor(cfg.kataAgentSocketPath, cfg.podNamespace) - podNode := podnetwork.NewPodNode(cfg.kataAgentNamespace, cfg.HostInterface, cfg.daemonConfig.PodNetwork) + podNode := podnetwork.NewPodNode(cfg.podNamespace, cfg.HostInterface, cfg.daemonConfig.PodNetwork) services = append(services, daemon.NewDaemon(&cfg.daemonConfig, cfg.listenAddr, cfg.tlsConfig, interceptor, podNode)) diff --git a/src/cloud-api-adaptor/docs/SecureComms.md b/src/cloud-api-adaptor/docs/SecureComms.md index 46ac8c417..38ac81bf9 100644 --- a/src/cloud-api-adaptor/docs/SecureComms.md +++ b/src/cloud-api-adaptor/docs/SecureComms.md @@ -56,7 +56,7 @@ kubectl -n kbs-operator-system get cm resource-policy -o yaml | sed "s/default a Change the `src/cloud-api-adaptor/podvm/files/etc/systemd/system/agent-protocol-forwarder.service` to include: ```sh -ExecStart=/usr/local/bin/agent-protocol-forwarder -kata-agent-namespace /run/netns/podns -secure-comms -kata-agent-socket /run/kata-containers/agent.sock $TLS_OPTIONS $OPTIONS +ExecStart=/usr/local/bin/agent-protocol-forwarder -pod-namespace /run/netns/podns -secure-comms -kata-agent-socket /run/kata-containers/agent.sock $TLS_OPTIONS $OPTIONS ``` You may also include additional Inbounds and Outbounds configurations to the Forwarder using the `-secure-comms-inbounds` and `-secure-comms-outbounds` flags. See more details regarding Inbounds and Outbounds below. diff --git a/src/cloud-api-adaptor/pkg/forwarder/forwarder.go b/src/cloud-api-adaptor/pkg/forwarder/forwarder.go index 58a20a22d..fd8a694d0 100644 --- a/src/cloud-api-adaptor/pkg/forwarder/forwarder.go +++ b/src/cloud-api-adaptor/pkg/forwarder/forwarder.go @@ -30,7 +30,7 @@ const ( DefaultConfigPath = "/run/peerpod/daemon.json" DefaultPodNetworkSpecPath = "/run/peerpod/podnetwork.json" DefaultKataAgentSocketPath = "/run/kata-containers/agent.sock" - DefaultKataAgentNamespace = "/run/netns/podns" + DefaultPodNamespace = "/run/netns/podns" AgentURLPath = "/agent" ) diff --git a/src/cloud-api-adaptor/podvm/files/etc/systemd/system/agent-protocol-forwarder.service b/src/cloud-api-adaptor/podvm/files/etc/systemd/system/agent-protocol-forwarder.service index cfd994378..0203244c1 100644 --- a/src/cloud-api-adaptor/podvm/files/etc/systemd/system/agent-protocol-forwarder.service +++ b/src/cloud-api-adaptor/podvm/files/etc/systemd/system/agent-protocol-forwarder.service @@ -8,7 +8,7 @@ DefaultDependencies=no [Service] Type=notify EnvironmentFile=-/etc/default/agent-protocol-forwarder -ExecStart=/usr/local/bin/agent-protocol-forwarder -kata-agent-namespace /run/netns/podns -kata-agent-socket /run/kata-containers/agent.sock $TLS_OPTIONS $OPTIONS +ExecStart=/usr/local/bin/agent-protocol-forwarder -pod-namespace /run/netns/podns -kata-agent-socket /run/kata-containers/agent.sock $TLS_OPTIONS $OPTIONS Restart=on-failure RestartSec=5s