Bring KBS Resource URI into Image-rs #119
Conversation
Xynnn007
requested review from
sameo,
jiangliu,
arronwy,
lumjjb and
jialez0
as code owners
|
enclave-cc test error is due to different attestation-agent version in ocicrypt-rs and image-rs. When confidential-containers/attestation-agent#129 is merged, AA's rev should be updated in ocicrypt-rs and then in this PR. |
|
This PR introduces three more parameters in I think these parameters should be input from Still, a questions comes. For test we can fix these fields like Potentially, we need to think about how we provide these uris to |
Thanks @Xynnn007 , to support the flexiblity for different senarios and easy to use for end user, we can expose these interfaces with default value which can backword compatibale previous release, and let the end user to config them if needed. |
This commit refactors some of the functions of sample signing module. Mainly convert clones into references, which helps to avoid extra memory copies when executing Signed-off-by: Xynnn007 <[email protected]>
|
@arronwy Yes, now the three parameters are set to
These are defined in attestation-agent https://github.com/confidential-containers/attestation-agent/blob/main/src/kbc_modules/mod.rs#L152 |
This commit brings in KBS Resource URI support. All the functions related to read a file from given uri has been brought to module `resource`. Now different resources can be fetched using the overall api resource::get_resource() This Api now support two basic protocol: - file:// read file from local filesystem - kbs:// read file from KBS This commit also fixes features of `keywrap-grpc`, `keywrap-ttrpc` and `keywrap-native` to let them to be allowed to exist at the same time. Signed-off-by: Xynnn007 <[email protected]>
This commit bring out the sigstore configuration file into ImageClient's config to specify which sigstore configuration file for simple signing will be used. Also, some refactoring is applied on the simple signing related codes, including: - Now when merging two sigstore configs, if the contents are duplicated but not conflict, no error will be raised Besides, `KeyPath` field in both cosign and simple signing will use either kbs resource uri or local filesystem path from now on. If a local fs path is used, a absolute path is recommended Signed-off-by: Xynnn007 <[email protected]>
Credential in integration test now is specified by a kbs resource uri (kbs resource uri in `get_resource` api test) Image decryption key in integration is specified by a kbs resource uri in image's AnnotationPacket (kbs resource uri in `unwrap_key` api test) Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
The env should be removed first and then the config be inited, or when the env CC_IMAGE_WORK_DIR is set, the first assert_eq will fail Signed-off-by: Xynnn007 <[email protected]>
related rev brings kbs resource uri scheme Signed-off-by: Xynnn007 <[email protected]>
This PR mainly aims to bring KBS Resource URI scheme into image-rs. Concrete contents of this PR includes
ImageClient.config.file_pathsbefore doing pulling. Related codes were refactoredsigstore_config: Signature storage configuration file for simple signing, which describes where an image's signature is storedpolicy_path: image security policy JSON file, s.t.policy.jsonauth_file: credential file to access a private image registry, s.t.auth.jsonsecure_channelmodule intoresourcemodule which gives an public apiget_resource(uri). Here uri supports two schemes for now and can be extended appropriatelykbs://...: retrieve the resource from KBS.file://...: read the resource from local file system. By default if no scheme is given, try to read usingfile://resource_manifest. For now, when a resource is needed, functioncrate::resource::get_resource(uri)can be called to get lazily. The code logic was simplified.docker.io/xynnn007/busybox:encrypted-uri-keywhich is made using cc-kbc's key provider as it shares the same format of AnnotationPacket and KBS URI.Close #116