Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add nebula_ca plugin #539

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

cclaudio
Copy link

@cclaudio cclaudio commented Oct 19, 2024

This PR adds the nebula_ca plugin.

How to build it

The first step builds trustee with the 'nebula-ca' cargo feature enabled.
The second step configures the plugin as explained in the kbs/docs/config.md.
The third step runs all trustee components.

    $ docker compose build --build-arg NEBULA_CA=true
    $ cat >> kbs/config/docker-compose/kbs-config.toml << EOF
    [[plugins]]
    name = "nebula-ca"
    nebula_cert_bin_path = "/usr/local/bin/nebula-cert"
    work_dir = "/opt/confidential-containers/kbs/nebula-ca"
    [plugins.self_signed_ca]
    name = "Nebula CA for Trustee KBS"
    EOF
    $ docker compose up

How to test it

Ultimately, the plugin will be called from the CDH (confidential-containers/guest-components#763). In the meantime, we can use the kbs-client to test it.

You will need the kbs-client patch (or hack :-D) available in the branch https://github.com/cclaudio/trustee/tree/nebula-ca-plugin-test to build the kbs-client and test the plugin.

With that patch applied or the entire branch cloned, build the kbs-client:

$ cd kbs && make cli ATTESTER=snp-attester
$ sudo make install-cli

Assuming the trustee is already running, request a credential to the nebula-ca plugin:

$ kbs-client config --auth-private-key kbs/config/private.key set-resource-policy --policy-file  kbs/sample_policies/allow_all.rego
$ kbs-client get-resource --plugin-name "nebula-ca" --resource-path "credential?name=podA&ip=10.9.8.2/21" | base64 -d

That should return a Credential structure like:

{
  "node_crt":[45,45,45,45,45,66,69,71,73,78,32,78,69,66,85,76,65,32,67,69,82,84,73,70,73,67,65,84,69,45,45,45,45,45,10,67,110,85,75,66,72,66,118,90,69,69,83,67,89,75,81,112,70,67,65,56,80,47,47,68,120,111,83,103,73,67,73,67,73,68,119,47,47,56,80,103,73,67,73,67,73,68,119,47,47,56,80,75,76,80,47,43,55,115,71,77,76,88,80,10,120,115,99,71,79,105,68,48,99,57,104,75,115,99,73,119,69,84,116,118,74,54,48,99,53,122,119,69,104,119,101,49,48,74,55,111,73,55,111,101,117,68,102,97,77,89,117,87,67,85,111,103,76,70,48,75,99,85,79,112,81,73,114,106,10,110,74,51,101,72,116,68,120,103,84,67,68,69,54,116,106,76,82,50,87,111,90,98,54,103,53,50,89,71,56,85,83,81,70,118,115,85,87,69,89,83,108,83,110,88,97,53,102,48,52,88,78,82,67,109,88,84,85,66,122,51,73,90,67,10,86,121,120,86,88,68,101,50,85,70,84,76,72,105,83,82,121,82,112,69,48,82,122,97,51,100,107,113,117,70,118,106,52,70,83,70,88,72,70,80,89,122,108,107,79,104,43,107,106,90,108,121,83,103,65,61,10,45,45,45,45,45,69,78,68,32,78,69,66,85,76,65,32,67,69,82,84,73,70,73,67,65,84,69,45,45,45,45,45,10],
  "node_key":[45,45,45,45,45,66,69,71,73,78,32,78,69,66,85,76,65,32,88,50,53,53,49,57,32,80,82,73,86,65,84,69,32,75,69,89,45,45,45,45,45,10,104,74,67,43,105,85,86,56,113,109,122,85,105,57,75,87,118,73,110,83,110,114,53,65,104,108,80,43,108,52,118,70,105,69,117,101,84,77,76,47,73,76,111,61,10,45,45,45,45,45,69,78,68,32,78,69,66,85,76,65,32,88,50,53,53,49,57,32,80,82,73,86,65,84,69,32,75,69,89,45,45,45,45,45,10],
  "ca_crt":[45,45,45,45,45,66,69,71,73,78,32,78,69,66,85,76,65,32,67,69,82,84,73,70,73,67,65,84,69,45,45,45,45,45,10,67,107,115,75,71,85,53,108,89,110,86,115,89,83,66,68,81,83,66,109,98,51,73,103,86,72,74,49,99,51,82,108,90,83,66,76,81,108,77,111,116,117,106,66,117,65,89,119,116,115,47,71,120,119,89,54,73,79,48,86,104,52,122,84,10,83,81,121,52,108,117,54,105,122,68,98,72,102,114,72,122,65,69,117,66,120,112,108,53,88,70,65,102,115,114,47,108,85,88,98,105,81,65,69,83,81,77,77,99,108,110,105,101,117,84,100,98,97,55,56,48,80,102,82,76,101,109,77,117,10,104,90,73,89,69,50,89,97,86,112,100,105,105,72,50,75,119,81,87,43,54,113,112,89,115,105,113,119,66,98,106,53,85,72,56,100,116,114,78,101,49,43,90,122,75,86,69,76,74,65,109,80,115,79,83,105,89,84,100,115,71,81,103,61,10,45,45,45,45,45,69,78,68,32,78,69,66,85,76,65,32,67,69,82,84,73,70,73,67,65,84,69,45,45,45,45,45,10]
}

The plugin can create a Nebula certificate authority to provide
credentials for CoCo PODs (or VMs) that want to join a Nebula encrypted
overlay network. A credential is provided only for attested CoCo PODs.

The steps below can be used to build and start trustee with support for
the 'nebula-ca' plugin. The first step builds the KBS with the
'nebula-ca' cargo feature enabled. The second step configures the
plugin as explained in the kbs/docs/config.md.

$ docker compose build --build-arg NEBULA_CA=true
$ cat >> kbs/config/docker-compose/kbs-config.toml << EOF
[[plugins]]
name = "nebula-ca"
nebula_cert_bin_path = "/usr/local/bin/nebula-cert"
work_dir = "/opt/confidential-containers/kbs/nebula-ca"
[plugins.self_signed_ca]
name = "Nebula CA for Trustee KBS"
EOF
$ docker compose up

The nebula-ca is a self signed certificate authority. When the plugin is
started, it will create the CA key and certificate based on the
configuration provided in the kbs-config.toml file, unless the
${work_dir}/ca/ca.{key,crt} already exists.

A credential can be requested via GET /kbs/v0/nebula-ca/credential.
Additional parameters can be provided via query string:

    /// Required: name of the cert, usually hostname or podname
    name: String,
    /// Required: IPv4 address and network in CIDR notation to assign the cert
    ip: String,
    /// Optional: how long the cert should be valid for.
    /// The default is 1 second before the signing cert expires.
    /// Valid time units are seconds: "s", minutes: "m", hours: "h".
    duration: Option<String>,
    /// Optional: comma separated list of groups.
    groups: Option<String>,
    /// Optional: comma separated list of ipv4 address and network in CIDR notation.
    /// Subnets this cert can serve for
    subnets: Option<String>,

For example, the GET below provides two required parameters via query
string: name and IP address (CIDR notation). Other examples can be found
in the unit test cases defined in the nebula_ca.rs file.

GET /kbs/v0/nebula-ca/credential?name=podA&ip=10.9.8.2/21

Signed-off-by: Claudio Carvalho <[email protected]>
@cclaudio cclaudio marked this pull request as ready for review January 8, 2025 23:17
@cclaudio
Copy link
Author

cclaudio commented Jan 8, 2025

This PR is ready for review. I updated the PR description with the steps to build and test it.

Copy link
Member

@portersrc portersrc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm
I review this by going through the code and looking for bugs -- I didn't spot anything.
I also tried to build and run. docker compose up fails for me but for reasons unrelated to your work, I think. If you eventually lift those instructions and put them in docs or a tutorial, we can add some more details.

Copy link
Member

@fitzthum fitzthum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks clean. A few suggestions but nothing too significant.

| Property | Type | Description | Required | Example |
|------------------------|--------|-----------------------------------|----------|-----------------------------------------------------|
| `nebula_cert_bin_path` | String | nebula-cert binary path | Yes | `/usr/local/bin/nebula-cert` |
| `work_dir` | String | This plugin work directory, it requires `rw` permission | Yes | `/opt/confidential-containers/kbs/nebula-ca` |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do these need to be required? It seems like we could have default values for both parameters.


| Property | Type | Description | Required | Default | Example |
|---------------------|---------|-----------------------------------|----------|-----------------------------------------------------|
| `name` | String | Name of the certificate authority | Yes | | `Nebula Ca for Trustee KBS` |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This also seems like it could have a default value

}
if let Some(value) = &ca.subnets {
args.extend_from_slice(&["-subnets".into(), value.into()]);
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You might be able to use a macro to make this a little less repetitive.

@@ -33,6 +33,9 @@ aliyun = ["kms/aliyun"]
# Use pkcs11 resource backend to store secrets in an HSM
pkcs11 = ["cryptoki"]

# Use Nebula CA to provide credentials for nodes (pods) to join a Nebula overlay network
nebula-ca = []
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe we should have a convention for features that enable plugins. we could call this nebula-ca-plugin for instance

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree and I like nebula-ca-plugin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: We have code
Development

Successfully merging this pull request may close these issues.

3 participants