Add nebula_ca plugin #539
Draft
Add nebula_ca plugin #539
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This refactoring combines all RCAR (attestation) related code into one module. This would help to better modularization and error handling. Signed-off-by: Xynnn007 <[email protected]>
Actually, the ITA token and CoCo Token are both JWTs. They both need a JWK to verify the JWT. The difference is the way to gather the JWK. This commit combined the two logic, and add two ways to get the JWK. 1. From the configured JwkSet when launching KBS 2. From the JWT's Header's jwk field. The two ways will check the jwk endorsement in different ways. The first way is to configure the trusted JwkSet from the config. The second way is to configure the trusted CA in config. Then get the public key cert chain from Jwk's x5c field. The both ways are also supported in this patch. Rust does not provide a mature crate to verify cert chain, thus openssl is used in this patch. We also abondon rustls and openssl feature of KBS because openssl is by default used. Then we use openssl by default to make the code base simpler. Signed-off-by: Xynnn007 <[email protected]>
This commit does some refactoring upon policy engine module. Including 1. Change ResourcePolicyError to PolicyEngineError. This is because in future, different client plugins would share same policy engine thus the new name will match better. 2. add a new `set_policy` api for PolicyEngine. This api will handle SetPolicyInput format request rather than the plaintext of policy. This would help to integrate into the KBS server. The plugin mechanism is by default enabled, thus we delete `opa` and `policy` feature. By default integrate `regorus` crate for policy. Signed-off-by: Xynnn007 <[email protected]>
This module brings all admin authentication logic together. Currently it allows to use a public key to verify the admin access. Signed-off-by: Xynnn007 <[email protected]>
The resource module brings all resource storage logic together thus helps modularization. Also, it changes both `read_secret_resource` and `write_secret_resource` to Fn rather than FnMut. This leaves the synchronization handling to concrete underlying plugins, thus promote the performance because we can avoid a global Mutex. Signed-off-by: Xynnn007 <[email protected]>
The Plugins module could provide a plugin way for developers to extend the ability of KBS client APIs. This also provides a Sample implementation for example. Signed-off-by: Xynnn007 <[email protected]>
This is mostly a refactoring patch for KBS. It brings API serving into one function, and will perform different sub-function due to the requested plugin name. This also changes all configuration codes to have a default value. This patch would have some compatibility issue as it changes the old configuration format. The old configuration format is not well classified. This patch tidies the configuration items. Signed-off-by: Xynnn007 <[email protected]>
This patch fixes example configurations of KBS inside this codebase. Also, it fixes the CI test. Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Now the KBS could be built with support for all backend ASes and enable one of them runtimely due to configuration file. Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
The plugin can generate credentials for CoCo PODs (or VMs) that want to join a Nebula encrypted overlay network. The service is accessible only for CoCo PODs that were attested. At initialization phase, the plugin generates the CA key and certificate based on the config pointed in the kbs-config.toml. At runtime, the plugin can take GET requests to generate credentials. The parameters are provided via query string; the CoCo POD name node and IP address (CDR format e.g. 10.9.1.2/21) are required, the other parameters listed in the NebulaCredentialParams structure are optional. Signed-off-by: Claudio Carvalho <[email protected]>
…ugins
This is just a hack to be able to test the nebula_ca plugin.
$ cd kbs && make cli ATTESTER=snp-attester && make install-cli
$ docker compose up
$ kbs-client config --auth-private-key kbs/config/private.key set-resource-policy --policy-file kbs/sample_policies/allow_all.rego
$ kbs-client get-resource --plugin-name "nebula_ca" --resource-path "credential?ip[ip]=10.9.8.2&ip[netbits]=21&name=podA"
Currently, the last command is failing reporting
Error: request unauthorized
and in the trustee log:
ERROR kbs::error] TokenVerifierError(TokenVerificationFailed { source: Cannot verify token since trusted JWK Set is empty })
I did not get to the bottom of the problem yet, but I think I may need
the PR confidential-containers#524 as well
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR add the nebula_ca plugin on top of the new design proposed in #514 .
No test cases added yet.
At this point, the kbs-client patch is just a hack to be able to test the plugin. However, as explained in the commit message the kbs-client is failing.