Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
kata-agent: set ocicrypt environment variable
this will (re-)enable support for encrypted images on kata#main kata uses image-rs, which in turn uses ocicrypt-rs. the latter requires the env OCICRYPT_KEYPROVIDER_CONFIG to point to a file which defines how decryption keys can be retrieved from CDH. (note: it's called attestation-agent here, but that's a misnomer for historical reasons) kata-agent is only setting this env in process and writing the file to a /tmp location, if it is actively managing the guest-component processes. We start those processes as service units, so we have to take care of it on the podvm manually. the ocicrypt file is static and writing to /tmp wouldn't work well with a read-only rootfs anyway, so we can just include in the podvm image and referene the path in the env. Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
- Loading branch information