-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add nebula_ca plugin #539
base: main
Are you sure you want to change the base?
Add nebula_ca plugin #539
Conversation
The plugin can create a Nebula certificate authority to provide credentials for CoCo PODs (or VMs) that want to join a Nebula encrypted overlay network. A credential is provided only for attested CoCo PODs. The steps below can be used to build and start trustee with support for the 'nebula-ca' plugin. The first step builds the KBS with the 'nebula-ca' cargo feature enabled. The second step configures the plugin as explained in the kbs/docs/config.md. $ docker compose build --build-arg NEBULA_CA=true $ cat >> kbs/config/docker-compose/kbs-config.toml << EOF [[plugins]] name = "nebula-ca" nebula_cert_bin_path = "/usr/local/bin/nebula-cert" work_dir = "/opt/confidential-containers/kbs/nebula-ca" [plugins.self_signed_ca] name = "Nebula CA for Trustee KBS" EOF $ docker compose up The nebula-ca is a self signed certificate authority. When the plugin is started, it will create the CA key and certificate based on the configuration provided in the kbs-config.toml file, unless the ${work_dir}/ca/ca.{key,crt} already exists. A credential can be requested via GET /kbs/v0/nebula-ca/credential. Additional parameters can be provided via query string: /// Required: name of the cert, usually hostname or podname name: String, /// Required: IPv4 address and network in CIDR notation to assign the cert ip: String, /// Optional: how long the cert should be valid for. /// The default is 1 second before the signing cert expires. /// Valid time units are seconds: "s", minutes: "m", hours: "h". duration: Option<String>, /// Optional: comma separated list of groups. groups: Option<String>, /// Optional: comma separated list of ipv4 address and network in CIDR notation. /// Subnets this cert can serve for subnets: Option<String>, For example, the GET below provides two required parameters via query string: name and IP address (CIDR notation). Other examples can be found in the unit test cases defined in the nebula_ca.rs file. GET /kbs/v0/nebula-ca/credential?name=podA&ip=10.9.8.2/21 Signed-off-by: Claudio Carvalho <[email protected]>
4359304
to
a48c6de
Compare
This PR is ready for review. I updated the PR description with the steps to build and test it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
I review this by going through the code and looking for bugs -- I didn't spot anything.
I also tried to build and run. docker compose up
fails for me but for reasons unrelated to your work, I think. If you eventually lift those instructions and put them in docs or a tutorial, we can add some more details.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks clean. A few suggestions but nothing too significant.
| Property | Type | Description | Required | Example | | ||
|------------------------|--------|-----------------------------------|----------|-----------------------------------------------------| | ||
| `nebula_cert_bin_path` | String | nebula-cert binary path | Yes | `/usr/local/bin/nebula-cert` | | ||
| `work_dir` | String | This plugin work directory, it requires `rw` permission | Yes | `/opt/confidential-containers/kbs/nebula-ca` | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do these need to be required? It seems like we could have default values for both parameters.
|
||
| Property | Type | Description | Required | Default | Example | | ||
|---------------------|---------|-----------------------------------|----------|-----------------------------------------------------| | ||
| `name` | String | Name of the certificate authority | Yes | | `Nebula Ca for Trustee KBS` | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This also seems like it could have a default value
} | ||
if let Some(value) = &ca.subnets { | ||
args.extend_from_slice(&["-subnets".into(), value.into()]); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You might be able to use a macro to make this a little less repetitive.
@@ -33,6 +33,9 @@ aliyun = ["kms/aliyun"] | |||
# Use pkcs11 resource backend to store secrets in an HSM | |||
pkcs11 = ["cryptoki"] | |||
|
|||
# Use Nebula CA to provide credentials for nodes (pods) to join a Nebula overlay network | |||
nebula-ca = [] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe we should have a convention for features that enable plugins. we could call this nebula-ca-plugin
for instance
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree and I like nebula-ca-plugin
This PR adds the nebula_ca plugin.
How to build it
The first step builds trustee with the 'nebula-ca' cargo feature enabled.
The second step configures the plugin as explained in the kbs/docs/config.md.
The third step runs all trustee components.
How to test it
Ultimately, the plugin will be called from the CDH (confidential-containers/guest-components#763). In the meantime, we can use the kbs-client to test it.
You will need the kbs-client patch (or hack :-D) available in the branch https://github.com/cclaudio/trustee/tree/nebula-ca-plugin-test to build the kbs-client and test the plugin.
With that patch applied or the entire branch cloned, build the kbs-client:
Assuming the trustee is already running, request a credential to the nebula-ca plugin:
That should return a Credential structure like: