feat(container.provider): update of container instance digest through…

… signature verification service Signed-off-by: SimoneFiorani <[email protected]>
sfiorani · Mar 21, 2024 · 3823331 · 3823331
1 parent 5e7e511
commit 3823331
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 10 deletions.
diff --git a/...ntainer.provider/src/main/java/org/eclipse/kura/container/provider/ContainerInstance.java b/...ntainer.provider/src/main/java/org/eclipse/kura/container/provider/ContainerInstance.java
@@ -49,6 +49,7 @@ public class ContainerInstance implements ConfigurableComponent, ContainerOrches
 
     private ContainerOrchestrationService containerOrchestrationService;
     private Set<ContainerSignatureValidationService> availableContainerSignatureValidationService = new HashSet<>();
+    private String signatureExtractedDigest;
 
     private State state = new Disabled(new ContainerInstanceOptions(Collections.emptyMap()));
 
@@ -91,15 +92,24 @@ public void updated(Map<String, Object> properties) {
 
         try {
             ContainerInstanceOptions newProps = new ContainerInstanceOptions(properties);
+            this.signatureExtractedDigest = null;
+
+            if (!newProps.getEnforcementDigest().isPresent()) {
+
+                logger.info(
+                        "Container configuration doesn't include enforcement digest. Validating with Container Signature Validation service");
+
+                if (newProps.getSignatureTrustAnchor().isPresent()) {
+                    ValidationResult containerSignatureValidated = validateContainerImageSignature(newProps);
+                    this.signatureExtractedDigest = containerSignatureValidated.imageDigest().orElse("?");
+                    logger.info("Container signature validation result for {}@{}({}) - {}",
+                            newProps.getContainerImage(), this.signatureExtractedDigest,
+                            newProps.getContainerImageTag(),
+                            containerSignatureValidated.isSignatureValid() ? "OK" : "FAIL");
+                } else {
+                    logger.info("No trust anchor available. Signature validation skipped.");
+                }
 
-            if (newProps.getSignatureTrustAnchor().isPresent()) {
-                ValidationResult containerSignatureValidated = validateContainerImageSignature(newProps);
-                String imageDigest = containerSignatureValidated.imageDigest().orElse("?");
-                logger.info("Container signature validation result for {}@{}({}) - {}", newProps.getContainerImage(),
-                        imageDigest, newProps.getContainerImageTag(),
-                        containerSignatureValidated.isSignatureValid() ? "OK" : "FAIL");
-            } else {
-                logger.info("No trust anchor available. Signature validation skipped.");
             }
 
             if (newProps.isEnabled()) {
@@ -342,7 +352,9 @@ private void startMicroservice(final ContainerInstanceOptions options) {
             int maxRetries = options.getMaxDownloadRetries();
             int retryInterval = options.getRetryInterval();
 
-            final ContainerConfiguration containerConfiguration = options.getContainerConfiguration();
+            final ContainerConfiguration containerConfiguration = options.getEnforcementDigest().isPresent()
+                    ? options.getContainerConfiguration()
+                    : options.getContainerConfiguration(signatureExtractedDigest);
 
             int retries = 0;
             while ((unlimitedRetries || retries < maxRetries) && !Thread.currentThread().isInterrupted()) {
@@ -425,4 +437,4 @@ public State onDisabled() {
 
     }
 
-}
+}
diff --git a/....provider/src/main/java/org/eclipse/kura/container/provider/ContainerInstanceOptions.java b/....provider/src/main/java/org/eclipse/kura/container/provider/ContainerInstanceOptions.java
@@ -394,6 +394,22 @@ public ContainerConfiguration getContainerConfiguration() {
                 .setRuntime(getRuntime()).setEnforcementDigest(getEnforcementDigest()).build();
     }
 
+    public ContainerConfiguration getContainerConfiguration(String signatureExtractedDigest) {
+
+        Optional<String> finalEnforcementDigest = (!signatureExtractedDigest.equals("?"))
+                ? Optional.of(signatureExtractedDigest)
+                : getEnforcementDigest();
+
+        return buildPortConfig(ContainerConfiguration.builder()).setContainerName(getContainerName())
+                .setImageConfiguration(buildImageConfig()).setEnvVars(getContainerEnvList())
+                .setVolumes(getContainerVolumeList()).setPrivilegedMode(this.privilegedMode)
+                .setDeviceList(getContainerDeviceList()).setFrameworkManaged(true).setLoggingType(getLoggingType())
+                .setContainerNetowrkConfiguration(buildContainerNetworkConfig())
+                .setLoggerParameters(getLoggerParameters()).setEntryPoint(getEntryPoint())
+                .setRestartOnFailure(getRestartOnFailure()).setMemory(getMemory()).setCpus(getCpus()).setGpus(getGpus())
+                .setRuntime(getRuntime()).setEnforcementDigest(finalEnforcementDigest).build();
+    }
+
     private List<Integer> parsePortString(String ports) {
         List<Integer> tempArray = new ArrayList<>();
         if (!ports.isEmpty()) {