cloud-api-adaptor: initialization of secure-comms

initialization changes to secure-comms Signed-off-by: David Hadas <david.hadas@gmail.com>
confidential-containers · Apr 9, 2024 · 58e0a7f · 58e0a7f
1 parent 0cda75a
commit 58e0a7f
Show file tree

Hide file tree

Showing 8 changed files with 27 additions and 16 deletions.
diff --git a/src/cloud-api-adaptor/cmd/agent-protocol-forwarder/main.go b/src/cloud-api-adaptor/cmd/agent-protocol-forwarder/main.go
@@ -23,7 +23,6 @@ import (
 const programName = "agent-protocol-forwarder"
 
 type Config struct {
-	secureComms         bool
 	tlsConfig           *tlsutil.TLSConfig
 	daemonConfig        daemon.Config
 	configPath          string
@@ -85,7 +84,6 @@ func (cfg *Config) Setup() (cmd.Starter, error) {
 	}
 
 	if secureComms {
-		cfg.secureComms = true
 		cfg.listenAddr = "127.0.0.1:15150"
 		inbounds := append([]string{"K:KATAAPI:15150"}, strings.Split(secureCommsInbounds, ",")...)
 		outbounds := append([]string{"B:KBS:8080"}, strings.Split(secureCommsOutbounds, ",")...)

diff --git a/src/cloud-api-adaptor/cmd/cloud-api-adaptor/main.go b/src/cloud-api-adaptor/cmd/cloud-api-adaptor/main.go
@@ -83,9 +83,11 @@ func (cfg *daemonConfig) Setup() (cmd.Starter, error) {
 	}
 
 	var (
-		disableTLS  bool
-		tlsConfig   tlsutil.TLSConfig
-		secureComms bool
+		disableTLS           bool
+		tlsConfig            tlsutil.TLSConfig
+		secureComms          bool
+		secureCommsInbounds  string
+		secureCommsOutbounds string
 	)
 
 	cmd.Parse(programName, os.Args[1:], func(flags *flag.FlagSet) {
@@ -107,6 +109,8 @@ func (cfg *daemonConfig) Setup() (cmd.Starter, error) {
 		flags.BoolVar(&tlsConfig.SkipVerify, "tls-skip-verify", false, "Skip TLS certificate verification - use it only for testing")
 		flags.BoolVar(&disableTLS, "disable-tls", false, "Disable TLS encryption - use it only for testing")
 		flags.BoolVar(&secureComms, "secure-comms", false, "Use SSH to secure communication between cluster and peer pods")
+		flags.StringVar(&secureCommsInbounds, "secure-comms-inbounds", "", "Inbound tags for secure communication tunnels")
+		flags.StringVar(&secureCommsOutbounds, "secure-comms-outbounds", "", "Outbound tags for secure communication tunnels")
 		flags.DurationVar(&cfg.serverConfig.ProxyTimeout, "proxy-timeout", proxy.DefaultProxyTimeout, "Maximum timeout in minutes for establishing agent proxy connection")
 
 		flags.StringVar(&cfg.networkConfig.TunnelType, "tunnel-type", podnetwork.DefaultTunnelType, "Tunnel provider")
@@ -125,6 +129,9 @@ func (cfg *daemonConfig) Setup() (cmd.Starter, error) {
 
 	if secureComms {
 		cfg.serverConfig.SecureComms = true
+		cfg.serverConfig.SecureCommsInbounds = secureCommsInbounds
+		cfg.serverConfig.SecureCommsOutbounds = secureCommsOutbounds
+
 		cfg.serverConfig.AAKBCParams = "cc_kbc::http://127.0.0.1:8080"
 	} else {
 		if !disableTLS {

diff --git a/src/cloud-api-adaptor/entrypoint.sh b/src/cloud-api-adaptor/entrypoint.sh
@@ -24,7 +24,7 @@ optionals+=""
 [[ "${SECURE_COMMS_OUTBOUNDS}" == "true" ]] && optionals+="-secure-comms-outbounds "
 
 test_vars() {
-    for i in "$@"; dogit add d  
+    for i in "$@"; do
         [ -z "${!i}" ] && echo "\$$i is NOT set" && EXT=1
     done
     [[ -n $EXT ]] && exit 1

diff --git a/src/cloud-api-adaptor/pkg/adaptor/cloud/cloud.go b/src/cloud-api-adaptor/pkg/adaptor/cloud/cloud.go
@@ -13,6 +13,7 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"strings"
 	"sync"
 
 	"github.com/containerd/containerd/pkg/cri/annotations"
@@ -32,8 +33,8 @@ import (
 )
 
 const (
-	Version = "0.0.0"
-	KBS_URL = "http://kbs-service.kbs-operator-system:8080"
+	Version     = "0.0.0"
+	KBS_ADDRESS = "kbs-service.kbs-operator-system:8080"
 )
 
 var logger = log.New(log.Writer(), "[adaptor/cloud] ", log.LstdFlags|log.Lmsgprefix)
@@ -77,12 +78,14 @@ func (s *cloudService) removeSandbox(id sandboxID) error {
 }
 
 func NewService(provider provider.Provider, proxyFactory proxy.Factory, workerNode podnetwork.WorkerNode,
-	secureComms bool, podsDir, daemonPort, aaKBCParams string) Service {
+	secureComms bool, secureCommsInbounds, secureCommsOutbounds, podsDir, daemonPort, aaKBCParams string) Service {
 	var err error
 	var sshClient *wnssh.SshClient
 
 	if secureComms {
-		sshClient, err = wnssh.InitSshClient([]string{"K:KATAAPI:0"}, []string{"B:KBS:kbs-service.kbs-operator-system:8080"}, KBS_URL)
+		inbounds := append([]string{"K:KATAAPI:0"}, strings.Split(secureCommsInbounds, ",")...)
+		outbounds := append([]string{"B:KBS:" + KBS_ADDRESS}, strings.Split(secureCommsOutbounds, ",")...)
+		sshClient, err = wnssh.InitSshClient(inbounds, outbounds, KBS_ADDRESS)
 		if err != nil {
 			log.Fatalf("InitSshClient failed %v", err)
 		}

diff --git a/src/cloud-api-adaptor/pkg/adaptor/cloud/cloud_test.go b/src/cloud-api-adaptor/pkg/adaptor/cloud/cloud_test.go
@@ -114,7 +114,7 @@ func TestCloudService(t *testing.T) {
 		podsDir: dir,
 	}
 
-	s := NewService(&mockProvider{}, proxyFactory, &mockWorkerNode{}, false, dir, forwarder.DefaultListenPort, "")
+	s := NewService(&mockProvider{}, proxyFactory, &mockWorkerNode{}, false, "", "", dir, forwarder.DefaultListenPort, "")
 
 	assert.NotNil(t, s)
 

diff --git a/src/cloud-api-adaptor/pkg/adaptor/server.go b/src/cloud-api-adaptor/pkg/adaptor/server.go
@@ -42,6 +42,8 @@ type ServerConfig struct {
 	AAKBCParams             string
 	EnableCloudConfigVerify bool
 	SecureComms             bool
+	SecureCommsInbounds     string
+	SecureCommsOutbounds    string
 }
 
 type Server interface {
@@ -67,7 +69,8 @@ func NewServer(provider provider.Provider, cfg *ServerConfig, workerNode podnetw
 	logger.Printf("server config: %#v", cfg)
 
 	agentFactory := proxy.NewFactory(cfg.PauseImage, cfg.CriSocketPath, cfg.TLSConfig, cfg.ProxyTimeout)
-	cloudService := cloud.NewService(provider, agentFactory, workerNode, cfg.SecureComms, cfg.PodsDir, cfg.ForwarderPort, cfg.AAKBCParams)
+	cloudService := cloud.NewService(provider, agentFactory, workerNode,
+		cfg.SecureComms, cfg.SecureCommsInbounds, cfg.SecureCommsOutbounds, cfg.PodsDir, cfg.ForwarderPort, cfg.AAKBCParams)
 	vmInfoService := vminfo.NewService(cloudService)
 
 	return &server{

diff --git a/src/cloud-api-adaptor/pkg/securecomms/wnssh/kbsclient.go b/src/cloud-api-adaptor/pkg/securecomms/wnssh/kbsclient.go
@@ -16,9 +16,9 @@ type KbsClient struct {
 	url       string
 }
 
-func InitKbsClient(url string) *KbsClient {
+func InitKbsClient(address string) *KbsClient {
 	return &KbsClient{
-		url: url,
+		url: "http://" + address,
 	}
 }
 

diff --git a/src/cloud-api-adaptor/pkg/securecomms/wnssh/wnssh.go b/src/cloud-api-adaptor/pkg/securecomms/wnssh/wnssh.go
@@ -55,7 +55,7 @@ func PpSecretName(sid string) string {
 // Structure of an inbound tag: "<MyPort>:<InboundName>:<Phase>"
 // Structure of an outbound tag: "<DesPort>:<DesHost>:<outboundName>:<Phase>"
 // Phasde may be "A" (Attestation), "K" (Kubernetes), or "B" (Both)
-func InitSshClient(inbound_strings, outbound_strings []string, kbsUrl string) (*SshClient, error) {
+func InitSshClient(inbound_strings, outbound_strings []string, kbsAddress string) (*SshClient, error) {
 	logger.Printf("Using PP Secure Comms: InitSshClient version %s", sshutil.PpSecureCommsVersion)
 
 	err := kubemgr.InitKubeMgr()
@@ -86,7 +86,7 @@ func InitSshClient(inbound_strings, outbound_strings []string, kbsUrl string) (*
 		return nil, fmt.Errorf("failed to read KBS Client Secret: %w", err)
 	}
 
-	kc := InitKbsClient(kbsUrl)
+	kc := InitKbsClient(kbsAddress)
 	err = kc.SetPemSecret(kbscPrivateKey)
 	if err != nil {
 		return nil, fmt.Errorf("KbsClient - %v", err)