-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bring KBS Resource URI into Image-rs #119
Conversation
enclave-cc test error is due to different attestation-agent version in ocicrypt-rs and image-rs. When confidential-containers/attestation-agent#129 is merged, AA's rev should be updated in ocicrypt-rs and then in this PR. |
This PR introduces three more parameters in I think these parameters should be input from Still, a questions comes. For test we can fix these fields like Potentially, we need to think about how we provide these uris to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Xynnn007 Thanks a lot for this important work! Although we use the method of overwriting the resource URI to use aa_kbc_params
correctly, this is a suitable method at present.
Thanks @Xynnn007 , to support the flexiblity for different senarios and easy to use for end user, we can expose these interfaces with default value which can backword compatibale previous release, and let the end user to config them if needed. |
This commit refactors some of the functions of sample signing module. Mainly convert clones into references, which helps to avoid extra memory copies when executing Signed-off-by: Xynnn007 <[email protected]>
@arronwy Yes, now the three parameters are set to
These are defined in attestation-agent https://github.com/confidential-containers/attestation-agent/blob/main/src/kbc_modules/mod.rs#L152 |
This commit brings in KBS Resource URI support. All the functions related to read a file from given uri has been brought to module `resource`. Now different resources can be fetched using the overall api resource::get_resource() This Api now support two basic protocol: - file:// read file from local filesystem - kbs:// read file from KBS This commit also fixes features of `keywrap-grpc`, `keywrap-ttrpc` and `keywrap-native` to let them to be allowed to exist at the same time. Signed-off-by: Xynnn007 <[email protected]>
This commit bring out the sigstore configuration file into ImageClient's config to specify which sigstore configuration file for simple signing will be used. Also, some refactoring is applied on the simple signing related codes, including: - Now when merging two sigstore configs, if the contents are duplicated but not conflict, no error will be raised Besides, `KeyPath` field in both cosign and simple signing will use either kbs resource uri or local filesystem path from now on. If a local fs path is used, a absolute path is recommended Signed-off-by: Xynnn007 <[email protected]>
Credential in integration test now is specified by a kbs resource uri (kbs resource uri in `get_resource` api test) Image decryption key in integration is specified by a kbs resource uri in image's AnnotationPacket (kbs resource uri in `unwrap_key` api test) Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
The env should be removed first and then the config be inited, or when the env CC_IMAGE_WORK_DIR is set, the first assert_eq will fail Signed-off-by: Xynnn007 <[email protected]>
related rev brings kbs resource uri scheme Signed-off-by: Xynnn007 <[email protected]>
This PR mainly aims to bring KBS Resource URI scheme into image-rs. Concrete contents of this PR includes
ImageClient.config.file_paths
before doing pulling. Related codes were refactoredsigstore_config
: Signature storage configuration file for simple signing, which describes where an image's signature is storedpolicy_path
: image security policy JSON file, s.t.policy.json
auth_file
: credential file to access a private image registry, s.t.auth.json
secure_channel
module intoresource
module which gives an public apiget_resource(uri)
. Here uri supports two schemes for now and can be extended appropriatelykbs://...
: retrieve the resource from KBS.file://...
: read the resource from local file system. By default if no scheme is given, try to read usingfile://
resource_manifest
. For now, when a resource is needed, functioncrate::resource::get_resource(uri)
can be called to get lazily. The code logic was simplified.docker.io/xynnn007/busybox:encrypted-uri-key
which is made using cc-kbc's key provider as it shares the same format of AnnotationPacket and KBS URI.Close #116