kbs: Add nebula_ca plugin

The plugin can generate credentials for CoCo PODs (or VMs) that want to join a Nebula encrypted overlay network. The service is accessible only for CoCo PODs that were attested. At initialization phase, the plugin generates the CA key and certificate based on the config pointed in the kbs-config.toml. At runtime, the plugin can take GET requests to generate credentials. The parameters are provided via query string; the CoCo POD name node and IP address (CDR format e.g. 10.9.1.2/21) are required, the other parameters listed in the NebulaCredentialParams structure are optional. Signed-off-by: Claudio Carvalho <[email protected]>
confidential-containers · Oct 19, 2024 · 00aeb55 · 00aeb55
1 parent c058c6a
commit 00aeb55
Show file tree

Hide file tree

Showing 12 changed files with 630 additions and 14 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -40,6 +40,7 @@ reqwest = { version = "0.12", default-features = false, features = ["default-tls
 rstest = "0.18.1"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0.89"
+serde_qs = "0.13.0"
 serde_with = { version = "1.11.0", features = ["base64", "hex"] }
 serial_test = "0.9.0"
 sha2 = "0.10"

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -15,8 +15,10 @@ services:
       - "8080:8080"
     volumes:
       - ./kbs/data/kbs-storage:/opt/confidential-containers/kbs/repository:rw
+      - ./kbs/data/nebula-ca:/opt/confidential-containers/kbs/nebula-ca:rw
       - ./kbs/config/public.pub:/opt/confidential-containers/kbs/user-keys/public.pub
       - ./kbs/config/docker-compose/kbs-config.toml:/etc/kbs-config.toml
+      - ./kbs/config/docker-compose/self-signed-nebula-ca-config.toml:/etc/self-signed-nebula-ca-config.toml
     depends_on:
     - as
 

diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml
@@ -55,10 +55,12 @@ regorus.workspace = true
 reqwest = { workspace = true, features = ["json"] }
 rsa = { version = "0.9.2", features = ["sha2"] }
 scc = "2"
+serde_qs.workspace = true
 semver = "1.0.16"
 serde = { workspace = true, features = ["derive"] }
 serde_json.workspace = true
 strum.workspace = true
+tempfile.workspace = true
 thiserror.workspace = true
 time = { version = "0.3.23", features = ["std"] }
 tokio.workspace = true
@@ -68,7 +70,6 @@ openssl = "0.10.55"
 az-cvm-vtpm = { version = "0.7.0", default-features = false, optional = true }
 
 [dev-dependencies]
-tempfile.workspace = true
 rstest.workspace = true
 
 [build-dependencies]

diff --git a/kbs/config/docker-compose/kbs-config.toml b/kbs/config/docker-compose/kbs-config.toml
@@ -11,4 +11,14 @@ type = "coco_as_grpc"
 as_addr = "http://as:50004"
 
 [admin]
-auth_public_key = "/opt/confidential-containers/kbs/user-keys/public.pub"
+auth_public_key = "/opt/confidential-containers/kbs/user-keys/public.pub"
+
+[[plugins]]
+name = "nebula_ca"
+type = "SelfSigned"
+config_path = "/etc/self-signed-nebula-ca-config.toml"
+
+[[plugins]]
+name = "resource"
+type = "LocalFs"
+dir_path = "/opt/confidential-containers/kbs/repository"
diff --git a/kbs/config/docker-compose/self-signed-nebula-ca-config.toml b/kbs/config/docker-compose/self-signed-nebula-ca-config.toml
@@ -0,0 +1,58 @@
+# Required: <String>
+# Path to the nebula-cert binary obtained from the Nebula release
+nebula_cert_bin_path = "/usr/local/bin/nebula-cert"
+
+# Required: <String>
+work_dir = "/opt/confidential-containers/kbs/nebula-ca"
+
+[settings]
+
+# Required: <String>
+# Name of the certificate authority
+name = "Nebula CA for Trustee KBS"
+
+# Optional: <u32>
+# Argon2 iterations parameter used for encrypted
+# private key passphrase (default 1)
+## argon_iterations = 1
+
+# Optional: <u32>
+# Argon2 memory parameter (in KiB) used for encrypted
+# private key passphrase (default 2097152)
+## argon_memory = 2097152
+
+# Optional: <u32>
+# Argon2 parallelism parameter used for encrypted private
+# key passphrase (default 4)
+## argon_parallelism = 4
+
+# Optional: <String>
+# EdDSA/ECDSA Curve (25519, P256) (default "25519")
+## curve = "25519"
+
+# Optional: <String>
+# Amount of time the certificate should be valid for.
+# Valid time units are seconds:
+# "s", minutes: "m", hours: "h" (default 8760h0m0s)
+## duration = "8760h0m0s"
+
+# Optional: <String>
+# Comma separated list of groups. This will limit which
+# groups subordinate certs can use
+## groups = "servers,ssh"
+
+# Optional: <String>
+# Comma separated list of ipv4 address and network
+# in CIDR notation. This will limit which ipv4 addresses and
+# networks subordinate certs can use for ip addresses
+## ips = "192.168.100.10/24"
+
+# Optional: <String>
+# Path to write a QR code image (png) of the certificate
+## out_qr = "/opt/confidential-containers/kbs/plugin/nebula/ca/ca.png"
+
+# Optional: <String>
+# Comma separated list of ipv4 address and network
+# in CIDR notation. This will limit which ipv4 addresses and
+# networks subordinate certs can use in subnets
+## subnets = "192.168.86.0/24"
diff --git a/kbs/docker/coco-as-grpc/Dockerfile b/kbs/docker/coco-as-grpc/Dockerfile
@@ -11,8 +11,13 @@ RUN apt-get update && apt install -y protobuf-compiler git
 RUN cd kbs && make AS_FEATURE=coco-as-grpc ALIYUN=${ALIYUN} && \
     make install-kbs
 
+# Install Nebula
+RUN wget https://github.com/slackhq/nebula/releases/download/v1.8.2/nebula-linux-amd64.tar.gz
+RUN tar -C /usr/local/bin -xzf nebula-linux-amd64.tar.gz
+
 FROM ubuntu:22.04
 
 LABEL org.opencontainers.image.source="https://github.com/confidential-containers/trustee/kbs"
 
 COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs
+COPY --from=builder /usr/local/bin/nebula-cert /usr/local/bin/nebula-cert
diff --git a/kbs/src/plugins/mod.rs b/kbs/src/plugins/mod.rs
@@ -5,6 +5,7 @@
 pub mod error;
 pub mod plugin_manager;
 
+pub mod nebula_ca;
 pub mod resource;
 pub mod sample;