From 3823331ea828c1e09721b7b8b641779871fa76fe Mon Sep 17 00:00:00 2001 From: SimoneFiorani Date: Thu, 21 Mar 2024 17:04:48 +0100 Subject: [PATCH] feat(container.provider): update of container instance digest through signature verification service Signed-off-by: SimoneFiorani --- .../container/provider/ContainerInstance.java | 32 +++++++++++++------ .../provider/ContainerInstanceOptions.java | 16 ++++++++++ 2 files changed, 38 insertions(+), 10 deletions(-) diff --git a/kura/org.eclipse.kura.container.provider/src/main/java/org/eclipse/kura/container/provider/ContainerInstance.java b/kura/org.eclipse.kura.container.provider/src/main/java/org/eclipse/kura/container/provider/ContainerInstance.java index 7a7f4d4b366..06d9a37a9a8 100644 --- a/kura/org.eclipse.kura.container.provider/src/main/java/org/eclipse/kura/container/provider/ContainerInstance.java +++ b/kura/org.eclipse.kura.container.provider/src/main/java/org/eclipse/kura/container/provider/ContainerInstance.java @@ -49,6 +49,7 @@ public class ContainerInstance implements ConfigurableComponent, ContainerOrches private ContainerOrchestrationService containerOrchestrationService; private Set availableContainerSignatureValidationService = new HashSet<>(); + private String signatureExtractedDigest; private State state = new Disabled(new ContainerInstanceOptions(Collections.emptyMap())); @@ -91,15 +92,24 @@ public void updated(Map properties) { try { ContainerInstanceOptions newProps = new ContainerInstanceOptions(properties); + this.signatureExtractedDigest = null; + + if (!newProps.getEnforcementDigest().isPresent()) { + + logger.info( + "Container configuration doesn't include enforcement digest. Validating with Container Signature Validation service"); + + if (newProps.getSignatureTrustAnchor().isPresent()) { + ValidationResult containerSignatureValidated = validateContainerImageSignature(newProps); + this.signatureExtractedDigest = containerSignatureValidated.imageDigest().orElse("?"); + logger.info("Container signature validation result for {}@{}({}) - {}", + newProps.getContainerImage(), this.signatureExtractedDigest, + newProps.getContainerImageTag(), + containerSignatureValidated.isSignatureValid() ? "OK" : "FAIL"); + } else { + logger.info("No trust anchor available. Signature validation skipped."); + } - if (newProps.getSignatureTrustAnchor().isPresent()) { - ValidationResult containerSignatureValidated = validateContainerImageSignature(newProps); - String imageDigest = containerSignatureValidated.imageDigest().orElse("?"); - logger.info("Container signature validation result for {}@{}({}) - {}", newProps.getContainerImage(), - imageDigest, newProps.getContainerImageTag(), - containerSignatureValidated.isSignatureValid() ? "OK" : "FAIL"); - } else { - logger.info("No trust anchor available. Signature validation skipped."); } if (newProps.isEnabled()) { @@ -342,7 +352,9 @@ private void startMicroservice(final ContainerInstanceOptions options) { int maxRetries = options.getMaxDownloadRetries(); int retryInterval = options.getRetryInterval(); - final ContainerConfiguration containerConfiguration = options.getContainerConfiguration(); + final ContainerConfiguration containerConfiguration = options.getEnforcementDigest().isPresent() + ? options.getContainerConfiguration() + : options.getContainerConfiguration(signatureExtractedDigest); int retries = 0; while ((unlimitedRetries || retries < maxRetries) && !Thread.currentThread().isInterrupted()) { @@ -425,4 +437,4 @@ public State onDisabled() { } -} \ No newline at end of file +} diff --git a/kura/org.eclipse.kura.container.provider/src/main/java/org/eclipse/kura/container/provider/ContainerInstanceOptions.java b/kura/org.eclipse.kura.container.provider/src/main/java/org/eclipse/kura/container/provider/ContainerInstanceOptions.java index 69281fe235a..928f2c0d88b 100644 --- a/kura/org.eclipse.kura.container.provider/src/main/java/org/eclipse/kura/container/provider/ContainerInstanceOptions.java +++ b/kura/org.eclipse.kura.container.provider/src/main/java/org/eclipse/kura/container/provider/ContainerInstanceOptions.java @@ -394,6 +394,22 @@ public ContainerConfiguration getContainerConfiguration() { .setRuntime(getRuntime()).setEnforcementDigest(getEnforcementDigest()).build(); } + public ContainerConfiguration getContainerConfiguration(String signatureExtractedDigest) { + + Optional finalEnforcementDigest = (!signatureExtractedDigest.equals("?")) + ? Optional.of(signatureExtractedDigest) + : getEnforcementDigest(); + + return buildPortConfig(ContainerConfiguration.builder()).setContainerName(getContainerName()) + .setImageConfiguration(buildImageConfig()).setEnvVars(getContainerEnvList()) + .setVolumes(getContainerVolumeList()).setPrivilegedMode(this.privilegedMode) + .setDeviceList(getContainerDeviceList()).setFrameworkManaged(true).setLoggingType(getLoggingType()) + .setContainerNetowrkConfiguration(buildContainerNetworkConfig()) + .setLoggerParameters(getLoggerParameters()).setEntryPoint(getEntryPoint()) + .setRestartOnFailure(getRestartOnFailure()).setMemory(getMemory()).setCpus(getCpus()).setGpus(getGpus()) + .setRuntime(getRuntime()).setEnforcementDigest(finalEnforcementDigest).build(); + } + private List parsePortString(String ports) { List tempArray = new ArrayList<>(); if (!ports.isEmpty()) {