Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace AA_KBC_PARAMS after enable initdata #1985

Closed
5 of 8 tasks
huoqifeng opened this issue Aug 7, 2024 · 5 comments · Fixed by #2006
Closed
5 of 8 tasks

Replace AA_KBC_PARAMS after enable initdata #1985

huoqifeng opened this issue Aug 7, 2024 · 5 comments · Fixed by #2006

Comments

@huoqifeng
Copy link

huoqifeng commented Aug 7, 2024
edited
Loading

initdata is enabled in #1895 via #1912 and we're still keeping AA_KBC_PARAMS approach. Initdata will not take effect if AA_KBC_PARAMS set.

In this story, we'll

  • Add the kbs e2e tests to use initdata
    • Migrate existing test cases
    • Considering use KBS cert
    • Considering measurements/runtime_data checks for initdata.digest.
      • Requires reconcile with upstream for digest comparing for TEE drivers
  • Remove the AA_KBC_PARAMS logic
  • Adjust documentation
  • Providing default initData via configMap to improve the UX
    initdata: migrate key release test cases to initdata #2006 (comment)
@huoqifeng
Copy link
Author

CC @mkulke @stevenhorsman @liudalibj @bpradipt

@huoqifeng huoqifeng changed the title Remove AA_KBC_PARAMS after enable initdata Replace AA_KBC_PARAMS after enable initdata Aug 7, 2024
@github-project-automation github-project-automation bot moved this to 🆕 New in CoCo Releases Aug 8, 2024
@huoqifeng huoqifeng mentioned this issue Aug 14, 2024
Closed
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 15, 2024
initdata: migrate key release test cases to initdata
1f6aaff 
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
@huoqifeng huoqifeng mentioned this issue Aug 15, 2024
Merged
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 15, 2024
initdata: remove AA_KBC_PARAMS
c2a5f5b 
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 15, 2024
initdata: remove AA_KBC_PARAMS and aaKBCParams
d44c058 
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 15, 2024
initdata: remove AA_KBC_PARAMS and aaKBCParams
2e2ac92 
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 15, 2024
initdata: remove AA_KBC_PARAMS and aaKBCParams
feb8351 
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 15, 2024
initdata: remove obsolete test case for aaKBCParams
e309edd 
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 15, 2024
initdata: refactor key release test case
15bdb13 
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 15, 2024
initdata: refactor key release test case
6d5c73e 
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 15, 2024
initdata: refactor key release test case
616e260 
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 15, 2024
initdata: refactor key release test case
e7b28c8 
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 15, 2024
initdata: refactor and fix lint errors
3feaa88 
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 16, 2024
initdata: use allow-all rego policy in key release test
d006f45 
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
@huoqifeng
Copy link
Author

@bpradipt @mkulke I noticed that the TEST_TRUSTEE_OPERATOR is used to test TestTrusteeOperatorKeyReleaseForSpecificKey for a pre-configured cluster in azure. Does the TrusteeOperator support https now? Considering the complexity when enable https in KBS, I think maybe we should use TrusteeOperator to test KBS https and the certificates in aa.toml and cdh.toml which will be passed in by initdata. wdyt?

huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 17, 2024
initdata: migrate key release test cases to initdata
3b31921 
 - migrate key release test cases to initdata
 - remove AA_KBC_PARAMS and aaKBCParams
 - use allow-all rego policy to make key release test run correctly

Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
@bpradipt
Copy link
Member

@bpradipt @mkulke I noticed that the TEST_TRUSTEE_OPERATOR is used to test TestTrusteeOperatorKeyReleaseForSpecificKey for a pre-configured cluster in azure. Does the TrusteeOperator support https now? Considering the complexity when enable https in KBS, I think maybe we should use TrusteeOperator to test KBS https and the certificates in aa.toml and cdh.toml which will be passed in by initdata. wdyt?

I used CA signed certificates with TrusteeOperator, however I think we should be able to use self-signed certificates as well. Let me know if you need any help.

@huoqifeng
Copy link
Author

I used CA signed certificates with TrusteeOperator, however I think we should be able to use self-signed certificates as well. Let me know if you need any help.

OK, I think e2e test will use self-signed certificate. I'll add it.

huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 19, 2024
initdata: add global-initdata in configmap
ad95424 
- add global-initdata in configmap and parameters
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 20, 2024
initdata: add global-initdata in configmap
902ab59 
- add global-initdata in configmap and parameters
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 20, 2024
initdata: add global-initdata in configmap
67d7c3f 
- add global-initdata in configmap and parameters
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 20, 2024
initdata: add global-initdata in configmap
e792a5a 
- add global-initdata in configmap and parameters
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 20, 2024
initdata: migrate key release test cases to initdata
b2c16eb 
 - migrate key release test cases to initdata
 - remove AA_KBC_PARAMS and aaKBCParams
 - use allow-all rego policy to make key release test run correctly

Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 20, 2024
initdata: add global-initdata in configmap
e4fe685 
- add global-initdata in configmap and parameters
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 21, 2024
initdata: rename variables
8b669d0 
- rename GLOBAL_INITDATA to INITDATA
- rename CdhFilePath to CDHConfigPath
- rename AaFilePath to AAConfigPath

Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 21, 2024
initdata: rename variables
b91fa26 
- rename GLOBAL_INITDATA to INITDATA
- rename CdhFilePath to CDHConfigPath
- rename AaFilePath to AAConfigPath

Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 21, 2024
initdata: validate initdata by unmarshal it
db4b9d3 
- Validate the initdata passed in both from configmap and annotation
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Aug 21, 2024
initdata: validate initdata by unmarshal it
7927e60 
- Validate the initdata passed in both from configmap and annotation
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit to huoqifeng/cloud-api-adaptor that referenced this issue Sep 2, 2024
initdata: fix misc issues in md files
b4c734c 
Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit that referenced this issue Sep 2, 2024
@huoqifeng
initdata: add global-initdata in configmap
8ef77a7 
- add global-initdata in configmap and parameters
Fixes: #1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit that referenced this issue Sep 2, 2024
@huoqifeng
initdata: rename variables
8753358 
- rename GLOBAL_INITDATA to INITDATA
- rename CdhFilePath to CDHConfigPath
- rename AaFilePath to AAConfigPath

Fixes: #1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit that referenced this issue Sep 2, 2024
@huoqifeng
initdata: validate initdata by unmarshal it
3e737bd 
- Validate the initdata passed in both from configmap and annotation
Fixes: #1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
huoqifeng pushed a commit that referenced this issue Sep 2, 2024
@huoqifeng
initdata: fix misc issues in md files
289c0a1 
Fixes: #1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
@github-project-automation github-project-automation bot moved this from 🏗 In progress to ✅ Done in CoCo Releases Sep 2, 2024
@huoqifeng huoqifeng reopened this Sep 2, 2024
@stevenhorsman
Copy link
Member

KBS cert depends on the KBS repo for support, but we can split this out into a separate issues for clarity if we want to test this in peer pods at all (rather than leave it to the attestation - kbs testing to cover).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
CoCo Releases
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

initdata: migrate key release test cases to initdata huoqifeng/cloud-api-adaptor
3 participants
@bpradipt @huoqifeng @stevenhorsman