Refactor config

- Use `config` crate for configuration handling. - Use TOML as the canonical configuration format (JSON is still supported). - Consolidate all KBS config under a single KbsConfig struct. - Read all params except --config-file from a config file. - Refactor repository configuration. Consolidate all related properties under a new RepositoryConfig enum and express implementation-specific properties as structs rather than raw JSON. - Improve default handling for some types. - Provide config examples for the various attestation modes. - Reduce ambiguity by renaming multiple elements named "config" to more meaningful names. - Overhaul config.md to match new state. Add information about default values as well as feature flags. - Clean the coupling of crate::attestation::coco::grpc and the main module. grpc no longer depends on KbsConfig. - Pass explicit attestation configuration to Attest implementation constructors. - Update docker-compose and k8s files to match new config structure. Signed-off-by: Johanan Liebermann <[email protected]>
confidential-containers · Aug 21, 2023 · 6e9bd7e · 6e9bd7e
1 parent 0710d58
commit 6e9bd7e
Show file tree

Hide file tree

Showing 25 changed files with 593 additions and 327 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/config/docker-compose/kbs-config.toml b/config/docker-compose/kbs-config.toml
@@ -0,0 +1,6 @@
+sockets = ["0.0.0.0:8080"]
+auth_public_key = "/opt/confidential-containers/kbs/user-keys/public.pub"
+insecure_http = true
+
+[grpc_config]
+as_addr = "http://as:50004"
diff --git a/config/kbs-config-amber.toml b/config/kbs-config-amber.toml
@@ -0,0 +1,7 @@
+insecure_http = true
+insecure_api = true
+
+[amber_config]
+base_url = "https://amber.com"
+api_key = "tBfd5kKX2x9ahbodKV1..."
+certs_file = "/etc/amber/amber-certs.txt"
diff --git a/config/kbs-config-grpc.toml b/config/kbs-config-grpc.toml
@@ -0,0 +1,5 @@
+insecure_http = true
+insecure_api = true
+
+[grpc_config]
+as_addr = "http://127.0.0.1:50004"
diff --git a/config/kbs-config.json b/config/kbs-config.json
diff --git a/config/kbs-config.toml b/config/kbs-config.toml
@@ -0,0 +1,19 @@
+insecure_http = true
+insecure_api = true
+attestation_token_type = "CoCo"
+
+[repository_config]
+type = "LocalFs"
+dir_path = "/opt/confidential-containers/kbs/repository"
+
+[as_config]
+work_dir = "/opt/confidential-containers/attestation-service"
+policy_engine = "opa"
+rvps_store_type = "LocalFs"
+attestation_token_broker = "Simple"
+
+[as_config.attestation_token_config]
+duration_min = 5
+
+[policy_engine_config]
+policy_path = "/opa/confidential-containers/kbs/policy.rego"
diff --git a/config/kubernetes/base/deployment.yaml b/config/kubernetes/base/deployment.yaml
@@ -20,29 +20,17 @@ spec:
         imagePullPolicy: Always
         command:
         - /usr/local/bin/kbs
-        - --socket
-        - 0.0.0.0:8080
-        - --config
-        - /etc/kbs/kbs-config.json
-        - --auth-public-key
-        - /kbs/kbs.pem
-        # Ideally we should use some solution like cert-manager to issue let's encrypt based certificate:
-        # https://cert-manager.io/docs/configuration/acme/
-        - --insecure-http
+        - --config-file
+        - /etc/kbs/kbs-config.toml
         volumeMounts:
         - name: kbs-auth-public-key
           mountPath: /kbs/
         - name: kbs-config
           mountPath: /etc/kbs/
-        - name: as-config
-          mountPath: /etc/as/
       volumes:
       - name: kbs-auth-public-key
         secret:
           secretName: kbs-auth-public-key
       - name: kbs-config
         configMap:
           name: kbs-config
-      - name: as-config
-        configMap:
-          name: as-config
diff --git a/config/kubernetes/base/kbs-config.json b/config/kubernetes/base/kbs-config.json
diff --git a/config/kubernetes/base/kbs-config.toml b/config/kubernetes/base/kbs-config.toml
@@ -0,0 +1,14 @@
+sockets = ["0.0.0.0:8080"]
+auth_public_key = "/kbs/kbs.pem"
+# Ideally we should use some solution like cert-manager to issue let's encrypt based certificate:
+# https://cert-manager.io/docs/configuration/acme/
+insecure_http = true
+
+[as_config]
+work_dir = "/opt/confidential-containers/attestation-service"
+policy_engine = "opa"
+rvps_store_type = "LocalFs"
+attestation_token_broker = "Simple"
+
+[as_config.attestation_token_config]
+duration_min = 5
diff --git a/config/kubernetes/base/kustomization.yaml b/config/kubernetes/base/kustomization.yaml
@@ -16,14 +16,10 @@ configMapGenerator:
 # KBS configuration.
 - name: kbs-config
   files:
-  - kbs-config.json
-- name: as-config
-  files:
-  - as-config.json
+  - kbs-config.toml
 
 secretGenerator:
 # KBS auth public key.
 - name: kbs-auth-public-key
   files:
   - kbs.pem
-
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -7,21 +7,16 @@ services:
     image: ghcr.io/confidential-containers/key-broker-service:latest
     command: [
         "/usr/local/bin/kbs",
-        "--socket",
-        "0.0.0.0:8080",
-        "--config",
-        "/etc/kbs-config.json",
-        "--auth-public-key",
-        "/opt/confidential-containers/kbs/user-keys/public.pub",
-        "--insecure-http"
+        "--config-file",
+        "/etc/kbs-config.toml",
       ]
     restart: always # keep the server running
     ports:
       - "8080:8080"
     volumes:
       - ./data/kbs-storage:/opt/confidential-containers/kbs/repository:rw
       - ./config/public.pub:/opt/confidential-containers/kbs/user-keys/public.pub
-      - ./config/kbs-config.json:/etc/kbs-config.json
+      - ./config/docker-compose/kbs-config.toml:/etc/kbs-config.toml
     depends_on:
     - as