agent-config: generate and use attestation-agent toml

agent-config: generate and use attestation-agent toml
    - Generate the attestation-agent toml file aa.toml when aaKBCParams provided
    - Use the cfg file to start attestation agent service when it exists
    - Start attestation agent service directly when no cfg file exists
    - remove aa_kbc_params in agent-config so that cdh won't read from it
    - rename agent to aa to reflect the real config

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>

src/cloud-api-adaptor/cmd/process-user-data/main.go

@@ -7,7 +7,6 @@ import (
 	"os"
 
 	cmdUtil "github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/cmd"
-	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/agent"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/cdh"
 	daemon "github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/forwarder"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/userdata"
@@ -19,8 +18,7 @@ const (
 	providerAzure = "azure"
 	providerAws   = "aws"
 
-	defaultAgentConfigPath = "/etc/agent-config.toml"
-	defaultAuthJsonPath    = "/run/peerpod/auth.json"
+	defaultAuthJsonPath = "/run/peerpod/auth.json"
 )
 
 var versionFlag bool
@@ -37,7 +35,7 @@ var rootCmd = &cobra.Command{
 }
 
 func init() {
-	var agentConfigPath, cdhConfigPath, daemonConfigPath string
+	var cdhConfigPath, daemonConfigPath string
 	var fetchTimeout int
 
 	rootCmd.PersistentFlags().BoolVarP(&versionFlag, "version", "v", false, "Print the version")
@@ -55,18 +53,6 @@ func init() {
 	}
 	provisionFilesCmd.Flags().IntVarP(&fetchTimeout, "user-data-fetch-timeout", "t", 180, "Timeout (in secs) for fetching user data")
 	rootCmd.AddCommand(provisionFilesCmd)
-
-	var updateAgentConfigCmd = &cobra.Command{
-		Use:   "update-agent-config",
-		Short: "Update the agent configuration file",
-		RunE: func(_ *cobra.Command, _ []string) error {
-			cfg := agent.NewConfig(agentConfigPath, defaultAuthJsonPath, daemonConfigPath)
-			return agent.UpdateConfig(cfg)
-		},
-		SilenceUsage: true, // Silence usage on error
-	}
-	updateAgentConfigCmd.Flags().StringVarP(&agentConfigPath, "agent-config-file", "a", defaultAgentConfigPath, "Path to a agent config file")
-	rootCmd.AddCommand(updateAgentConfigCmd)
 }
 
 func main() {

src/cloud-api-adaptor/go.mod

@@ -55,7 +55,6 @@ require (
 	github.com/pelletier/go-toml/v2 v2.1.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.7.0
-	github.com/tj/assert v0.0.3
 	golang.org/x/crypto v0.23.0
 	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2
 	google.golang.org/protobuf v1.33.0

src/cloud-api-adaptor/go.sum

@@ -540,8 +540,6 @@ github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtse
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
-github.com/tj/assert v0.0.3 h1:Df/BlaZ20mq6kuai7f5z2TvPFiwC3xaWJSDQNiIS3Rk=
-github.com/tj/assert v0.0.3/go.mod h1:Ne6X72Q+TB1AteidzQncjw9PabbMp4PBMZ1k+vd1Pvk=
 github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs=
 github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=

src/cloud-api-adaptor/pkg/aa/config.go

@@ -0,0 +1,49 @@
+package aa
+
+import (
+	"fmt"
+	"strings"
+
+	toml "github.com/pelletier/go-toml/v2"
+)
+
+const (
+	DefaultAaConfigPath = "/run/peerpod/aa.toml"
+)
+
+type AAConfig struct {
+	TokenCfg struct {
+		CocoAs struct {
+			URL string `toml:"url"`
+		} `toml:"coco_as"`
+		Kbs struct {
+			URL string `toml:"url"`
+		} `toml:"kbs"`
+	} `toml:"token_configs"`
+}
+
+func parseAAKBCParams(aaKBCParams string) (string, error) {
+	parts := strings.SplitN(aaKBCParams, "::", 2)
+	if len(parts) != 2 {
+		return "", fmt.Errorf("Invalid aa-kbs-params input: %s", aaKBCParams)
+	}
+	_, url := parts[0], parts[1]
+	return url, nil
+}
+
+func CreateConfigFile(aaKBCParams string) (string, error) {
+	url, err := parseAAKBCParams(aaKBCParams)
+	if err != nil {
+		return "", err
+	}
+
+	config := AAConfig{}
+	config.TokenCfg.CocoAs.URL = ""
+	config.TokenCfg.Kbs.URL = url
+
+	bytes, err := toml.Marshal(config)
+	if err != nil {
+		return "", err
+	}
+	return string(bytes), nil
+}

src/cloud-api-adaptor/pkg/aa/config_test.go

@@ -0,0 +1,36 @@
+package aa
+
+import (
+	"testing"
+)
+
+func Test_parseAAKBCParams(t *testing.T) {
+	url, err := parseAAKBCParams("cc_kbc::http://127.0.0.1:8080")
+	if err != nil {
+		t.Error(err)
+	}
+
+	expected := "http://127.0.0.1:8080"
+	if url != expected {
+		t.Errorf("Expected %s, got %s", expected, url)
+	}
+}
+
+func TestConfigFile(t *testing.T) {
+	refcfg := `[token_configs]
+[token_configs.coco_as]
+url = ''
+
+[token_configs.kbs]
+url = 'http://127.0.0.1:8080'
+`
+
+	config, err := CreateConfigFile("cc_kbc::http://127.0.0.1:8080")
+	if err != nil {
+		t.Error(err)
+	}
+
+	if config != refcfg {
+		t.Errorf("Expected: \n%s, got: \n%s", refcfg, config)
+	}
+}

src/cloud-api-adaptor/pkg/adaptor/cloud/cloud.go

@@ -19,6 +19,7 @@ import (
 	"github.com/containerd/containerd/pkg/cri/annotations"
 	pb "github.com/kata-containers/kata-containers/src/runtime/protocols/hypervisor"
 
+	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/aa"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/adaptor/k8sops"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/adaptor/proxy"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/cdh"
@@ -279,6 +280,15 @@ func (s *cloudService) CreateVM(ctx context.Context, req *pb.CreateVMRequest) (r
 			Path:    cdh.ConfigFilePath,
 			Content: toml,
 		})
+
+		toml, err = aa.CreateConfigFile(s.aaKBCParams)
+		if err != nil {
+			return nil, fmt.Errorf("creating attestation agent config: %w", err)
+		}
+		cloudConfig.WriteFiles = append(cloudConfig.WriteFiles, cloudinit.WriteFile{
+			Path:    aa.DefaultAaConfigPath,
+			Content: toml,
+		})
 	}
 
 	sandbox := &sandbox{