cdh: move image crate into hub/image module

the image crate is used exclusively by cdh, so we don't need to maintain
it as individual crate, helping with naming conflicts and reducing build
complexity.

Signed-off-by: Magnus Kulke <[email protected]>

.github/workflows/cdh_basic.yml

@@ -67,13 +67,13 @@ jobs:
 
       - name: Run cargo test
         run: |
-          sudo -E PATH=$PATH -s cargo test --features kbs,aliyun,sev,bin -p kms -p confidential-data-hub -p secret -p image
+          sudo -E PATH=$PATH -s cargo test --features kbs,aliyun,sev,bin -p kms -p confidential-data-hub -p secret
 
       - name: Run cargo fmt check
         run: |
-          sudo -E PATH=$PATH -s cargo fmt -p kms -p confidential-data-hub -p secret -p image -- --check
+          sudo -E PATH=$PATH -s cargo fmt -p kms -p confidential-data-hub -p secret -- --check
 
       - name: Run rust lint check
         run: |
           # We are getting error in generated code due to derive_partial_eq_without_eq check, so ignore it for now
-          sudo -E PATH=$PATH -s cargo clippy -p kms -p confidential-data-hub -p secret -p image -- -D warnings -A clippy::derive-partial-eq-without-eq 
+          sudo -E PATH=$PATH -s cargo clippy -p kms -p confidential-data-hub -p secret -- -D warnings -A clippy::derive-partial-eq-without-eq 

Cargo.toml

@@ -12,7 +12,6 @@ members = [
     "attestation-agent/coco_keyprovider",
     "confidential-data-hub/hub",
     "confidential-data-hub/kms",
-    "confidential-data-hub/image",
     "confidential-data-hub/secret",
     "confidential-data-hub/storage",
     "image-rs",

confidential-data-hub/hub/Cargo.toml

@@ -34,14 +34,15 @@ base64.workspace = true
 cfg-if = { workspace = true, optional = true }
 clap = { workspace = true, features = [ "derive" ], optional = true }
 config = { workspace = true, optional = true }
+crypto.path = "../../attestation-agent/deps/crypto"
 env_logger = { workspace = true, optional = true }
-image = { path = "../image", default-features = false }
 image-rs = { path = "../../image-rs", default-features = false, features = ["kata-cc-rustls-tls"] }
 kms = { path = "../kms", default-features = false }
 lazy_static.workspace = true
 log.workspace = true
 prost = { workspace = true, optional = true }
 protobuf = { workspace = true, optional = true }
+resource_uri.path = "../../attestation-agent/deps/resource_uri"
 secret.path = "../secret"
 storage.path = "../storage"
 serde = { workspace = true, optional = true }
@@ -66,16 +67,16 @@ tempfile.workspace = true
 default = ["kbs", "bin", "ttrpc", "grpc"]
 
 # support aliyun stacks (KMS, ..)
-aliyun = ["image/aliyun", "secret/aliyun"]
+aliyun = ["secret/aliyun"]
 
 # support coco-KBS to provide confidential resources
-kbs = ["image/kbs", "kms/kbs", "secret/kbs"]
+kbs = ["kms/kbs", "secret/kbs"]
 
 # support sev to provide confidential resources
-sev = ["image/sev", "kms/sev", "secret/sev"]
+sev = ["kms/sev", "secret/sev"]
 
 # support eHSM stacks (KMS, ...)
-ehsm = ["image/ehsm", "secret/ehsm"]
+ehsm = ["secret/ehsm"]
 
 # Binary RPC type
 bin = [ "anyhow", "attestation-agent", "cfg-if", "clap", "config", "env_logger", "serde" ]

confidential-data-hub/hub/src/error.rs

@@ -3,6 +3,7 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
+use crate::image;
 use thiserror::Error;
 
 pub type Result<T> = std::result::Result<T, Error>;

confidential-data-hub/hub/src/hub.rs

@@ -12,7 +12,7 @@ use log::{debug, info};
 use storage::volume_type::Storage;
 use tokio::sync::{Mutex, OnceCell};
 
-use crate::{CdhConfig, DataHub, Error, Result};
+use crate::{image, CdhConfig, DataHub, Error, Result};
 
 pub struct Hub {
     pub(crate) credentials: HashMap<String, String>,

confidential-data-hub/image/src/annotation_packet/mod.rs → confidential-data-hub/hub/src/image/annotation_packet/mod.rs

@@ -14,7 +14,7 @@ mod tests {
 
     #[test]
     fn compatiblity_with_old_packets() {
-        let v1_raw = include_str!("../../test/v1.json");
+        let v1_raw = include_str!("../test/v1.json");
         let _: AnnotationPacket = serde_json::from_str(v1_raw).expect("unable to parse V1 with V2");
     }
 }

confidential-data-hub/image/src/annotation_packet/v1.rs → confidential-data-hub/hub/src/image/annotation_packet/v1.rs

@@ -6,6 +6,8 @@
 use resource_uri::ResourceUri;
 use serde::{Deserialize, Serialize};
 
+use crate::image::{Error, Result};
+
 /// `AnnotationPacket` is what a encrypted image layer's
 /// `org.opencontainers.image.enc.keys.provider.attestation-agent`
 /// annotation should contain when it is encrypted by CoCo's
@@ -24,13 +26,11 @@ pub struct AnnotationPacket {
 }
 
 impl AnnotationPacket {
-    pub(crate) async fn unwrap_key(&self) -> crate::Result<Vec<u8>> {
+    pub(crate) async fn unwrap_key(&self) -> Result<Vec<u8>> {
         use base64::{engine::general_purpose::STANDARD, Engine};
         use crypto::WrapType;
         use kms::{plugins::VaultProvider, Annotations, ProviderSettings};
 
-        use crate::Error;
-
         let wrap_type = WrapType::try_from(&self.wrap_type[..])
             .map_err(|_| Error::UnknownWrapType(self.wrap_type.to_string()))?;
         let kbs_client = kms::new_getter(VaultProvider::Kbs.as_ref(), ProviderSettings::default())

confidential-data-hub/image/src/annotation_packet/v2.rs → confidential-data-hub/hub/src/image/annotation_packet/v2.rs

@@ -12,7 +12,7 @@ use kms::{plugins::VaultProvider, Annotations, ProviderSettings};
 use serde::{Deserialize, Serialize};
 use serde_json::Map;
 
-use crate::{Error, Result};
+use crate::image::{Error, Result};
 
 pub const DEFAULT_VERSION: &str = "0.1.0";
 

confidential-data-hub/image/src/lib.rs → confidential-data-hub/hub/src/image/mod.rs

@@ -8,7 +8,7 @@ pub mod error;
 
 pub use annotation_packet::AnnotationPacket;
 use anyhow::anyhow;
-pub use error::*;
+pub use error::{Error, Result};
 
 pub async fn unwrap_key(annotation_packet: &[u8]) -> Result<Vec<u8>> {
     let annotation_packet: AnnotationPacket =

confidential-data-hub/hub/src/lib.rs

@@ -15,3 +15,5 @@ pub mod auth;
 
 pub mod config;
 pub use config::*;
+
+pub mod image;