Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add cdh golang client interface #557

Merged
merged 9 commits into from
May 29, 2024
Merged

Add cdh golang client interface #557

merged 9 commits into from
May 29, 2024

Conversation

ChengyuZhu6
Copy link
Member

@ChengyuZhu6 ChengyuZhu6 commented May 17, 2024
edited
Loading

This client interface streamlines the process of connecting to CDH and leveraging its APIs. The Go version is very useful for integrating the CDH with containerd plugins, including NRI and image verifiers, where CDH operates as an independent module.

Note that this PR includes only the interface for UnsealSecret.
I think other interfaces can be implemented in the following PRs.

Fixes: #556

@ChengyuZhu6 ChengyuZhu6 requested a review from sameo as a code owner May 17, 2024 13:36
@ChengyuZhu6
Copy link
Member Author

cc @arronwy @Xynnn007

Xynnn007
Xynnn007 reviewed May 20, 2024
View reviewed changes
Copy link
Member

@Xynnn007 Xynnn007 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ChengyuZhu6 .

I think the pkg in golang for CDH would make great sense to users working in k8s ecosystem. Some comments

confidential-data-hub/golang/cmd/grpc-client/main.go Outdated Show resolved Hide resolved
confidential-data-hub/golang/pkg/api/cdhgrpc/cdhgrpc.proto Outdated
@@ -0,0 +1,46 @@
syntax = "proto3";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we reuse the proto already defined in https://github.com/confidential-containers/guest-components/blob/main/confidential-data-hub/hub/protos/api.proto? This could help with so-called "single truth of source".

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

confidential-data-hub/golang/pkg/api/cdhttrpc/cdhttrpc.proto Outdated Show resolved Hide resolved
ChengyuZhu6 added 7 commits May 20, 2024 21:01
cdh:golang: unseal secret from env in cdh grpc client
eacd5dd 
Support to unseal secret from env in in grpc client.

Fixes: confidential-containers#556

Signed-off-by: ChengyuZhu6 <[email protected]>
cdh:golang: unseal secret from file in cdh grpc client
576e7ed 
Support to unseal secret from file in cdh grpc client.

Signed-off-by: ChengyuZhu6 <[email protected]>
cdh:golang: build cdh go grpc client
b088427 
Support to build cdh go grpc client.

Signed-off-by: ChengyuZhu6 <[email protected]>
cdh:golang: unseal secret from env in cdh ttrpc client
3c90c1a 
Support to unseal secret from env in in ttrpc client.

Signed-off-by: ChengyuZhu6 <[email protected]>
cdh:golang: unseal secret from file in cdh ttrpc client
236f919 
Support to unseal secret from file in cdh ttrpc client.

Signed-off-by: ChengyuZhu6 <[email protected]>
cdh:golang: build cdh go ttrpc client
f478f08 
Support to build cdh go ttrpc client.

Signed-off-by: ChengyuZhu6 <[email protected]>
cdh:golang: define common logic for both gRPC and TTRPC
e786f43 
Define an interface `SecretUnsealer` that both gRPC and TTRPC go clients can implement.
Define common implementation `UnsealEnv` and `UnsealFile` that can be used by both gRPC and TTRPC clients.

Signed-off-by: ChengyuZhu6 <[email protected]>
@ChengyuZhu6 ChengyuZhu6 force-pushed the golang branch 10 times, most recently from 89ad7b2 to ead51b2 Compare May 20, 2024 14:23
cdh:golang: support to configure flags by commandline input
0e02fc9 
support to configure flags by command line input, such as :
OperationType: The operation type to perform
Socket: The rpc socket path
OperationInterface: The interface to use for the operation
OperationInput: The input value to use for the operation interface
rpcType: get the rpc type for the client

Signed-off-by: ChengyuZhu6 <[email protected]>
cdh:golang: Add README for cdh go client
c176541 
Add README for cdh go client.

Signed-off-by: ChengyuZhu6 <[email protected]>
Xynnn007
Xynnn007 approved these changes May 21, 2024
View reviewed changes
Copy link
Member

@Xynnn007 Xynnn007 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice to me. One last question is that we'd better have CI to cover this, but I think it is ok to be in a separate PR.

fitzthum
fitzthum reviewed May 21, 2024
View reviewed changes
Copy link
Member

@fitzthum fitzthum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this will be used inside of a guest? I associate Go more with k8s on the host. Can you elaborate on the integrations that you mentioned? I am slightly wary of supporting more languages although overall this PR looks fine (with my modest understanding of Go).

@ChengyuZhu6
Copy link
Member Author

So this will be used inside of a guest? I associate Go more with k8s on the host. Can you elaborate on the integrations that you mentioned? I am slightly wary of supporting more languages although overall this PR looks fine (with my modest understanding of Go).

Ok. I have successfully integrated CDH with NRI plugin in containerd. This allows us to unseal secrets in NRI plugin using the CDH Go client, rather than having to execute CDH binary to get unsealed values.

@ChengyuZhu6
Copy link
Member Author

ChengyuZhu6 commented May 23, 2024
edited
Loading

So this will be used inside of a guest? I associate Go more with k8s on the host. Can you elaborate on the integrations that you mentioned? I am slightly wary of supporting more languages although overall this PR looks fine (with my modest understanding of Go).

I unseal secret with NRI plugin during CreateContainer stage in k8s.

result:
image

pod yaml:

apiVersion: v1
kind: Pod
metadata:
  name: registry
spec:
  containers:
    - name: registry
      image: quay.io/chengyu_zhu/registry:latest
      command: [ "/bin/sh", "-c", "env && sleep 3000" ]
      env:
        - name: SECRET_USERNAME
          valueFrom:
            secretKeyRef:
              name: secret-sealed
              key: sealed-secret

sealed secret:

---
apiVersion: v1
kind: Secret
metadata:
  name: secret-sealed
type: Opaque
stringData:
  sealed-secret: sealed.fakeheader.ewogICJ2ZXJzaW9uIjogIjAuMS4wIiwKICAidHlwZSI6ICJ2YXVsdCIsCiAgIm5hbWUiOiAia2JzOi8vL2RlZmF1bHQvdHlwZS90YWciLAogICJwcm92aWRlciI6ICJrYnMiLAogICJwcm92aWRlcl9zZXR0aW5ncyI6IHt9LAogICJhbm5vdGF0aW9ucyI6IHt9Cn0K.fakesignature

fitzthum
fitzthum approved these changes May 24, 2024
View reviewed changes
Copy link
Member

@fitzthum fitzthum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I'm a bit wary of supporting another language, but I think I understand this use case.

@Xynnn007
Copy link
Member

Ok, I'm a bit wary of supporting another language, but I think I understand this use case.

As AA/CDH would be used in more scenarios beyond CoCo, it would make sense to maintain only the client side code of both in some way. Probably guest-components is not the best place, and we might need another repo named something like client-tools-golang.

wdyt?

@fitzthum
Copy link
Member

As AA/CDH would be used in more scenarios beyond CoCo, it would make sense to maintain only the client side code of both in some way. Probably guest-components is not the best place, and we might need another repo named something like client-tools-golang.

Yeah in some ways this seems better although there would probably be some synchronization cost.

wdyth @mkulke

@mkulke
Copy link
Contributor

mkulke commented May 28, 2024

As AA/CDH would be used in more scenarios beyond CoCo, it would make sense to maintain only the client side code of both in some way. Probably guest-components is not the best place, and we might need another repo named something like client-tools-golang.

Yeah in some ways this seems better although there would probably be some synchronization cost.

wdyth @mkulke

I'd agree that it's a valid use case to leverage CDH with existing container tooling, but I'm not sure it should be in guest-components, since I understand this is not a (confidential) guest-component for kata-guests.

@fitzthum
Copy link
Member

fitzthum commented May 28, 2024
edited
Loading

We do already have some client tools in this repo, such as the secret-cli. (that might be the only one, I forget)

@mkulke
Copy link
Contributor

mkulke commented May 28, 2024

We do already have some client tools in this repo, such as the secret-cli. (that might be the only one, I forget)

I see, in this case the having golang libraries maintained alongside is fine, I guess.

@Xynnn007
Copy link
Member

@fitzthum @mkulke Ok. Let's could move the golang things to a separate repo if needed.

Over all, thanks @ChengyuZhu6 for the work!

@Xynnn007 Xynnn007 merged commit 33a8723 into confidential-containers:main May 29, 2024
4 checks passed
@ChengyuZhu6 ChengyuZhu6 deleted the golang branch July 5, 2024 05:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fitzthum fitzthum fitzthum approved these changes

@Xynnn007 Xynnn007 Xynnn007 approved these changes

@sameo sameo Awaiting requested review from sameo

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add cdh golang client interface
4 participants
@ChengyuZhu6 @Xynnn007 @fitzthum @mkulke