initdata: remove AA_KBC_PARAMS and aaKBCParams

Fixes: confidential-containers#1985

Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>

src/cloud-api-adaptor/cmd/cloud-api-adaptor/main.go

@@ -25,7 +25,6 @@ import (
 
 const (
 	programName           = "cloud-api-adaptor"
-	AA_KBC_PARAMS_DEFAULT = "cc_kbc::http://127.0.0.1:8080"
 )
 
 type daemonConfig struct {
@@ -122,7 +121,6 @@ func (cfg *daemonConfig) Setup() (cmd.Starter, error) {
 		flags.StringVar(&cfg.networkConfig.HostInterface, "host-interface", "", "Host Interface")
 		flags.IntVar(&cfg.networkConfig.VXLANPort, "vxlan-port", vxlan.DefaultVXLANPort, "VXLAN UDP port number (VXLAN tunnel mode only")
 		flags.IntVar(&cfg.networkConfig.VXLANMinID, "vxlan-min-id", vxlan.DefaultVXLANMinID, "Minimum VXLAN ID (VXLAN tunnel mode only")
-		flags.StringVar(&cfg.serverConfig.AAKBCParams, "aa-kbc-params", "", "attestation-agent KBC parameters")
 		flags.BoolVar(&cfg.serverConfig.EnableCloudConfigVerify, "cloud-config-verify", false, "Enable cloud config verify - should use it for production")
 
 		cloud.ParseCmd(flags)
@@ -142,8 +140,6 @@ func (cfg *daemonConfig) Setup() (cmd.Starter, error) {
 		cfg.serverConfig.SecureCommsInbounds = secureCommsInbounds
 		cfg.serverConfig.SecureCommsOutbounds = secureCommsOutbounds
 		cfg.serverConfig.SecureCommsKbsAddress = secureCommsKbsAddr
-
-		cfg.serverConfig.AAKBCParams = AA_KBC_PARAMS_DEFAULT
 	} else {
 		if !disableTLS {
 			cfg.serverConfig.TLSConfig = &tlsConfig

src/cloud-api-adaptor/docs/addnewprovider.md

@@ -282,7 +282,6 @@ optionals+=""
 [[ "${CERT_FILE}" ]] && [[ "${CERT_KEY}" ]] && optionals+="-cert-file ${CERT_FILE} -cert-key ${CERT_KEY} "
 [[ "${TLS_SKIP_VERIFY}" ]] && optionals+="-tls-skip-verify "
 [[ "${PROXY_TIMEOUT}" ]] && optionals+="-proxy-timeout ${PROXY_TIMEOUT} "
-[[ "${AA_KBC_PARAMS}" ]] && optionals+="-aa-kbc-params ${AA_KBC_PARAMS} "
 [[ "${FORWARDER_PORT}" ]] && optionals+="-forwarder-port ${FORWARDER_PORT} "
 [[ "${CLOUD_CONFIG_VERIFY}" == "true" ]] && optionals+="-cloud-config-verify "
 
@@ -396,7 +395,7 @@ cloud-api-adaptor version v0.8.2-dev
 cloud-api-adaptor: starting Cloud API Adaptor daemon for "libvirt"
 2024/04/17 04:34:56 [adaptor/cloud/libvirt] libvirt config: &libvirt.Config{URI:"qemu+ssh://root@192.168.122.1/system?no_verify=1", PoolName:"default", NetworkName:"default", DataDir:"/opt/data-dir", DisableCVM:true, VolName:"podvm-base.qcow2", LaunchSecurity:"", Firmware:"/usr/share/edk2/ovmf/OVMF_CODE.fd"}
 2024/04/17 04:34:56 [adaptor/cloud/libvirt] Created libvirt connection
-2024/04/17 04:34:56 [adaptor] server config: &adaptor.ServerConfig{TLSConfig:(*tlsutil.TLSConfig)(0xc0000d4080), SocketPath:"/run/peerpod/hypervisor.sock", CriSocketPath:"", PauseImage:"", PodsDir:"/run/peerpod/pods", ForwarderPort:"15150", ProxyTimeout:300000000000, AAKBCParams:"", EnableCloudConfigVerify:false}
+2024/04/17 04:34:56 [adaptor] server config: &adaptor.ServerConfig{TLSConfig:(*tlsutil.TLSConfig)(0xc0000d4080), SocketPath:"/run/peerpod/hypervisor.sock", CriSocketPath:"", PauseImage:"", PodsDir:"/run/peerpod/pods", ForwarderPort:"15150", ProxyTimeout:300000000000, EnableCloudConfigVerify:false}
 2024/04/17 04:34:56 [util/k8sops] initialized PeerPodService
 2024/04/17 04:34:56 [probe/probe] Using port: 8000
 2024/04/17 04:34:56 [adaptor] server started

src/cloud-api-adaptor/docs/initdata.md

@@ -2,7 +2,6 @@
 
 The document describes the implementation of the [initdata](https://github.com/confidential-containers/trustee/blob/main/kbs/docs/initdata.md) spec in PeerPods.
 
-Initdata is used when `AA_KBC_PARAMS` is not set at the moment, the plan is to remove `AA_KBC_PARAMS` support after `initdata` function works completely.
 
 ## Initdata example
 

src/cloud-api-adaptor/entrypoint.sh

@@ -18,7 +18,6 @@ optionals+=""
 [[ "${CERT_FILE}" ]] && [[ "${CERT_KEY}" ]] && optionals+="-cert-file ${CERT_FILE} -cert-key ${CERT_KEY} "
 [[ "${TLS_SKIP_VERIFY}" ]] && optionals+="-tls-skip-verify "
 [[ "${PROXY_TIMEOUT}" ]] && optionals+="-proxy-timeout ${PROXY_TIMEOUT} "
-[[ "${AA_KBC_PARAMS}" ]] && optionals+="-aa-kbc-params ${AA_KBC_PARAMS} "
 [[ "${FORWARDER_PORT}" ]] && optionals+="-forwarder-port ${FORWARDER_PORT} "
 [[ "${CLOUD_CONFIG_VERIFY}" == "true" ]] && optionals+="-cloud-config-verify "
 [[ "${SECURE_COMMS}" == "true" ]] && optionals+="-secure-comms "

src/cloud-api-adaptor/install/overlays/azure/kustomization.yaml

@@ -33,7 +33,6 @@ configMapGenerator:
   # /subscriptions/<AZURE_SUBSCRIPTION_ID>/resourceGroups/<AZURE_RESOURCE_GROUP>/providers/Microsoft.Compute/images/<AZURE_IMAGE>
   - AZURE_IMAGE_ID="" #set
   - SSH_USERNAME="" #set peer pod vm admin user name
-  - AA_KBC_PARAMS="" #set KBC params for podvm
   #- DISABLECVM="" # Uncomment it if you want a generic VM
   #- PAUSE_IMAGE="" # Uncomment and set if you want to use a specific pause image
   #- VXLAN_PORT="" # Uncomment and set if you want to use a specific vxlan port. Defaults to 4789

src/cloud-api-adaptor/install/overlays/libvirt/kustomization.yaml

@@ -24,7 +24,6 @@ configMapGenerator:
   - LIBVIRT_POOL="default" # set
   - DISABLECVM="true" # set as false to enable confidential VM
   - SECURE_COMMS="false" # set as true to enable Secure Comms
-  - AA_KBC_PARAMS="" #set KBC params for podvm
   #- LIBVIRT_LAUNCH_SECURITY="" #sev or s390-pv
   #- LIBVIRT_FIRMWARE="" # Uncomment and set if you want to change the firmware path. Defaults to /usr/share/edk2/ovmf/OVMF_CODE.fd
   #- LIBVIRT_VOL_NAME="" # Uncomment and set if you want to use a specific volume name. Defaults to podvm-base.qcow2

src/cloud-api-adaptor/pkg/adaptor/cloud/cloud.go

@@ -19,11 +19,9 @@ import (
 	"github.com/containerd/containerd/pkg/cri/annotations"
 	pb "github.com/kata-containers/kata-containers/src/runtime/protocols/hypervisor"
 
-	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/aa"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/adaptor/k8sops"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/adaptor/proxy"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/agent"
-	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/cdh"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/forwarder"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/podnetwork"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/securecomms/wnssh"
@@ -35,7 +33,9 @@ import (
 
 const (
 	SrcAuthfilePath = "/root/containers/auth.json"
+	AaFilePath      = "/run/peerpod/aa.toml"
 	AuthFilePath    = "/run/peerpod/auth.json"
+	CdhFilePath     = "/run/peerpod/cdh.toml"
 	InitdataPath    = "/run/peerpod/initdata"
 	Version         = "0.0.0"
 )
@@ -81,7 +81,7 @@ func (s *cloudService) removeSandbox(id sandboxID) error {
 }
 
 func NewService(provider provider.Provider, proxyFactory proxy.Factory, workerNode podnetwork.WorkerNode,
-	secureComms bool, secureCommsInbounds, secureCommsOutbounds, kbsAddress, podsDir, daemonPort, aaKBCParams, sshport string) Service {
+	secureComms bool, secureCommsInbounds, secureCommsOutbounds, kbsAddress, podsDir, daemonPort, sshport string) Service {
 	var err error
 	var sshClient *wnssh.SshClient
 
@@ -101,7 +101,6 @@ func NewService(provider provider.Provider, proxyFactory proxy.Factory, workerNo
 		podsDir:      podsDir,
 		daemonPort:   daemonPort,
 		workerNode:   workerNode,
-		aaKBCParams:  aaKBCParams,
 		sshClient:    sshClient,
 	}
 	s.cond = sync.NewCond(&s.mutex)
@@ -296,39 +295,13 @@ func (s *cloudService) CreateVM(ctx context.Context, req *pb.CreateVMRequest) (r
 		}
 	}
 
-	if s.aaKBCParams != "" { // Keep AA_KBC_PARAMS support as it is used by e2e test, KBS is dynamic k8s service in e2e test
-		logger.Printf("aaKBCParams: %s, support cc_kbc::*", s.aaKBCParams)
-		toml, err := cdh.CreateConfigFile(s.aaKBCParams)
-		if err != nil {
-			return nil, fmt.Errorf("creating CDH config: %w", err)
-		}
-		cloudConfig.WriteFiles = append(cloudConfig.WriteFiles, cloudinit.WriteFile{
-			Path:    cdh.ConfigFilePath,
-			Content: toml,
-		})
-
-		toml, err = aa.CreateConfigFile(s.aaKBCParams)
-		if err != nil {
-			return nil, fmt.Errorf("creating attestation agent config: %w", err)
-		}
-		cloudConfig.WriteFiles = append(cloudConfig.WriteFiles, cloudinit.WriteFile{
-			Path:    aa.ConfigFilePath,
-			Content: toml,
-		})
-	}
-
 	initdataStr := util.GetInitdataFromAnnotation(req.Annotations)
 	logger.Printf("initdata: %s", initdataStr)
 	if initdataStr != "" {
-		if s.aaKBCParams != "" {
-			logger.Printf("Initdata ignored because AA_KBC_PARAMS set")
-		} else {
-			logger.Printf("Set and use initdata when no AA_KBC_PARAMS")
-			cloudConfig.WriteFiles = append(cloudConfig.WriteFiles, cloudinit.WriteFile{
-				Path:    InitdataPath,
-				Content: initdataStr,
-			})
-		}
+		cloudConfig.WriteFiles = append(cloudConfig.WriteFiles, cloudinit.WriteFile{
+			Path:    InitdataPath,
+			Content: initdataStr,
+		})
 	}
 
 	sandbox := &sandbox{

src/cloud-api-adaptor/pkg/adaptor/cloud/cloud_test.go

@@ -117,7 +117,7 @@ func TestCloudService(t *testing.T) {
 		podsDir: dir,
 	}
 
-	s := NewService(&mockProvider{}, proxyFactory, &mockWorkerNode{}, false, "", "", "", dir, forwarder.DefaultListenPort, "", "")
+	s := NewService(&mockProvider{}, proxyFactory, &mockWorkerNode{}, false, "", "", "", dir, forwarder.DefaultListenPort, "")
 
 	assert.NotNil(t, s)
 

src/cloud-api-adaptor/pkg/adaptor/cloud/types.go

@@ -35,7 +35,6 @@ type cloudService struct {
 	daemonPort   string
 	mutex        sync.Mutex
 	ppService    *k8sops.PeerPodService
-	aaKBCParams  string
 	sshClient    *wnssh.SshClient
 }
 

src/cloud-api-adaptor/pkg/adaptor/server.go

@@ -39,7 +39,6 @@ type ServerConfig struct {
 	PodsDir                 string
 	ForwarderPort           string
 	ProxyTimeout            time.Duration
-	AAKBCParams             string
 	EnableCloudConfigVerify bool
 	SecureComms             bool
 	SecureCommsInbounds     string
@@ -71,7 +70,7 @@ func NewServer(provider provider.Provider, cfg *ServerConfig, workerNode podnetw
 
 	agentFactory := proxy.NewFactory(cfg.PauseImage, cfg.TLSConfig, cfg.ProxyTimeout)
 	cloudService := cloud.NewService(provider, agentFactory, workerNode,
-		cfg.SecureComms, cfg.SecureCommsInbounds, cfg.SecureCommsOutbounds, cfg.SecureCommsKbsAddress, cfg.PodsDir, cfg.ForwarderPort, cfg.AAKBCParams, sshutil.SSHPORT)
+		cfg.SecureComms, cfg.SecureCommsInbounds, cfg.SecureCommsOutbounds, cfg.SecureCommsKbsAddress, cfg.PodsDir, cfg.ForwarderPort, sshutil.SSHPORT)
 	vmInfoService := vminfo.NewService(cloudService)
 
 	return &server{

src/cloud-api-adaptor/pkg/userdata/provision.go

@@ -14,10 +14,8 @@ import (
 	"time"
 
 	"github.com/avast/retry-go/v4"
-	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/aa"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/adaptor/cloud"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/agent"
-	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/cdh"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/forwarder"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-providers/aws"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-providers/azure"
@@ -33,8 +31,8 @@ const (
 )
 
 var logger = log.New(log.Writer(), "[userdata/provision] ", log.LstdFlags|log.Lmsgprefix)
-var WriteFilesList = []string{aa.ConfigFilePath, cdh.ConfigFilePath, agent.ConfigFilePath, forwarder.DefaultConfigPath, cloud.AuthFilePath, cloud.InitdataPath}
-var InitdDataFilesList = []string{aa.ConfigFilePath, cdh.ConfigFilePath, PolicyPath}
+var WriteFilesList = []string{cloud.AaFilePath, cloud.CdhFilePath, agent.ConfigFilePath, forwarder.DefaultConfigPath, cloud.AuthFilePath, cloud.InitdataPath}
+var InitdDataFilesList = []string{cloud.AaFilePath, cloud.CdhFilePath, PolicyPath}
 
 type Config struct {
 	fetchTimeout  int