confidential-containers · huoqifeng · Jun 26, 2024 · Jun 20, 2024 · Jun 22, 2024 · Jun 24, 2024
@@ -7,7 +7,7 @@ import (
 	"os"
 
 	cmdUtil "github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/cmd"
-	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/agent"
+	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/aa"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/cdh"
 	daemon "github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/forwarder"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/userdata"
@@ -19,8 +19,7 @@ const (
 	providerAzure = "azure"
 	providerAws   = "aws"
 
-	defaultAgentConfigPath = "/etc/agent-config.toml"
-	defaultAuthJsonPath    = "/run/peerpod/auth.json"
+	defaultAuthJsonPath = "/run/peerpod/auth.json"
 )
 
 var versionFlag bool
@@ -37,36 +36,25 @@ var rootCmd = &cobra.Command{
 }
 
 func init() {
-	var agentConfigPath, cdhConfigPath, daemonConfigPath string
+	var aaConfigPath, cdhConfigPath, daemonConfigPath string
 	var fetchTimeout int
 
 	rootCmd.PersistentFlags().BoolVarP(&versionFlag, "version", "v", false, "Print the version")
 	rootCmd.PersistentFlags().StringVarP(&daemonConfigPath, "daemon-config-path", "d", daemon.DefaultConfigPath, "Path to a daemon config file")
+	rootCmd.PersistentFlags().StringVarP(&aaConfigPath, "aa-config-path", "a", aa.DefaultAaConfigPath, "Path to a AA config file")
 	rootCmd.PersistentFlags().StringVarP(&cdhConfigPath, "cdh-config-path", "c", cdh.ConfigFilePath, "Path to a CDH config file")
 
 	var provisionFilesCmd = &cobra.Command{
 		Use:   "provision-files",
 		Short: "Provision required files based on user data",
 		RunE: func(_ *cobra.Command, _ []string) error {
-			cfg := userdata.NewConfig(defaultAuthJsonPath, daemonConfigPath, cdhConfigPath, fetchTimeout)
+			cfg := userdata.NewConfig(aaConfigPath, defaultAuthJsonPath, daemonConfigPath, cdhConfigPath, fetchTimeout)
 			return userdata.ProvisionFiles(cfg)
 		},
 		SilenceUsage: true, // Silence usage on error
 	}
 	provisionFilesCmd.Flags().IntVarP(&fetchTimeout, "user-data-fetch-timeout", "t", 180, "Timeout (in secs) for fetching user data")
 	rootCmd.AddCommand(provisionFilesCmd)
-
-	var updateAgentConfigCmd = &cobra.Command{
-		Use:   "update-agent-config",
-		Short: "Update the agent configuration file",
-		RunE: func(_ *cobra.Command, _ []string) error {
-			cfg := agent.NewConfig(agentConfigPath, defaultAuthJsonPath, daemonConfigPath)
-			return agent.UpdateConfig(cfg)
-		},
-		SilenceUsage: true, // Silence usage on error
-	}
-	updateAgentConfigCmd.Flags().StringVarP(&agentConfigPath, "agent-config-file", "a", defaultAgentConfigPath, "Path to a agent config file")
-	rootCmd.AddCommand(updateAgentConfigCmd)
 }
 
 func main() {

@@ -55,7 +55,6 @@ require (
 	github.com/pelletier/go-toml/v2 v2.1.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.7.0
-	github.com/tj/assert v0.0.3
 	golang.org/x/crypto v0.23.0
 	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2
 	google.golang.org/protobuf v1.33.0

@@ -540,8 +540,6 @@ github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtse
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
-github.com/tj/assert v0.0.3 h1:Df/BlaZ20mq6kuai7f5z2TvPFiwC3xaWJSDQNiIS3Rk=
-github.com/tj/assert v0.0.3/go.mod h1:Ne6X72Q+TB1AteidzQncjw9PabbMp4PBMZ1k+vd1Pvk=
 github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs=
 github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=

@@ -0,0 +1,51 @@
+package aa
+
+import (
+	"fmt"
+	"strings"
+
+	toml "github.com/pelletier/go-toml/v2"
+)
+
+const (
+	DefaultAaConfigPath = "/run/peerpod/aa.toml"
+)
+
+type AAConfig struct {
+	TokenCfg struct {
+		CocoAs struct {
+			URL string `toml:"url"`
+		} `toml:"coco_as"`
+		Kbs struct {
+			URL string `toml:"url"`
+		} `toml:"kbs"`
+	} `toml:"token_configs"`
+}
+
+func parseAAKBCParams(aaKBCParams string) (string, error) {
+	parts := strings.SplitN(aaKBCParams, "::", 2)
+	if len(parts) != 2 {
+		return "", fmt.Errorf("Invalid aa-kbs-params input: %s", aaKBCParams)
+	}
+	_, url := parts[0], parts[1]
+	return url, nil
+}
+
+func CreateConfigFile(aaKBCParams string) (string, error) {
+	url, err := parseAAKBCParams(aaKBCParams)
+	if err != nil {
+		return "", err
+	}
+
+	config := AAConfig{}
+	// Assume KBS and AS has same endpoint
+	// Need a new parameter in addition to aaKBCParams if deploy AS and KBS separately.
+	config.TokenCfg.CocoAs.URL = url
+	config.TokenCfg.Kbs.URL = url
+
+	bytes, err := toml.Marshal(config)
+	if err != nil {
+		return "", err
+	}
+	return string(bytes), nil
+}
@@ -0,0 +1,36 @@
+package aa
+
+import (
+	"testing"
+)
+
+func Test_parseAAKBCParams(t *testing.T) {
+	url, err := parseAAKBCParams("cc_kbc::http://127.0.0.1:8080")
+	if err != nil {
+		t.Error(err)
+	}
+
+	expected := "http://127.0.0.1:8080"
+	if url != expected {
+		t.Errorf("Expected %s, got %s", expected, url)
+	}
+}
+
+func TestConfigFile(t *testing.T) {
+	refcfg := `[token_configs]
+[token_configs.coco_as]
+url = 'http://127.0.0.1:8080'
+
+[token_configs.kbs]
+url = 'http://127.0.0.1:8080'
+`
+
+	config, err := CreateConfigFile("cc_kbc::http://127.0.0.1:8080")
+	if err != nil {
+		t.Error(err)
+	}
+
+	if config != refcfg {
+		t.Errorf("Expected: \n%s, got: \n%s", refcfg, config)
+	}
+}
@@ -19,6 +19,7 @@ import (
 	"github.com/containerd/containerd/pkg/cri/annotations"
 	pb "github.com/kata-containers/kata-containers/src/runtime/protocols/hypervisor"
 
+	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/aa"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/adaptor/k8sops"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/adaptor/proxy"
 	"github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/pkg/cdh"
@@ -271,6 +272,7 @@ func (s *cloudService) CreateVM(ctx context.Context, req *pb.CreateVMRequest) (r
 	}
 
 	if s.aaKBCParams != "" {
+		logger.Printf("aaKBCParams: %s, support cc_kbc::*", s.aaKBCParams)
 		toml, err := cdh.CreateConfigFile(s.aaKBCParams)
 		if err != nil {
 			return nil, fmt.Errorf("creating CDH config: %w", err)
@@ -279,6 +281,15 @@ func (s *cloudService) CreateVM(ctx context.Context, req *pb.CreateVMRequest) (r
 			Path:    cdh.ConfigFilePath,
 			Content: toml,
 		})
+
+		toml, err = aa.CreateConfigFile(s.aaKBCParams)
+		if err != nil {
+			return nil, fmt.Errorf("creating attestation agent config: %w", err)
+		}
+		cloudConfig.WriteFiles = append(cloudConfig.WriteFiles, cloudinit.WriteFile{
+			Path:    aa.DefaultAaConfigPath,
+			Content: toml,
+		})
 	}
 
 	sandbox := &sandbox{