manifest: add WorkloadSecretID field

This field will be used as part of the workload secret feature (RFC 007) to generate secrets.

cli/cmd/policies.go

@@ -76,22 +76,23 @@ func policiesFromKubeResources(yamlPaths []string) ([]deployment, error) {
 	return deployments, nil
 }
 
-func manifestPolicyMapFromPolicies(policies []deployment) (map[manifest.HexString][]string, error) {
-	policyHashes := make(map[manifest.HexString][]string)
+func manifestPolicyMapFromPolicies(policies []deployment) (map[manifest.HexString]manifest.PolicyEntry, error) {
+	policyHashes := make(map[manifest.HexString]manifest.PolicyEntry)
 	for _, depl := range policies {
-		if existingNames, ok := policyHashes[depl.policy.Hash()]; ok {
-			if slices.Equal(existingNames, depl.DNSNames()) {
+		if entry, ok := policyHashes[depl.policy.Hash()]; ok {
+			if slices.Equal(entry.SANs, depl.DNSNames()) {
 				return nil, fmt.Errorf("policy hash collision: %s and %s have the same hash %v",
-					existingNames, depl.name, depl.policy.Hash())
+					entry.SANs, depl.name, depl.policy.Hash())
 			}
 			continue
 		}
-		policyHashes[depl.policy.Hash()] = depl.DNSNames()
+		entry := manifest.PolicyEntry{SANs: depl.DNSNames(), WorkloadSecretID: depl.name}
+		policyHashes[depl.policy.Hash()] = entry
 	}
 	return policyHashes, nil
 }
 
-func checkPoliciesMatchManifest(policies []deployment, policyHashes map[manifest.HexString][]string) error {
+func checkPoliciesMatchManifest(policies []deployment, policyHashes map[manifest.HexString]manifest.PolicyEntry) error {
 	if len(policies) != len(policyHashes) {
 		return fmt.Errorf("policy count mismatch: %d policies in deployment, but %d in manifest",
 			len(policies), len(policyHashes))

coordinator/internal/authority/authority.go

@@ -107,10 +107,11 @@ func (m *Authority) ValidateCallback(_ context.Context, report *sevsnp.Report,
 	}
 
 	hostData := manifest.NewHexString(report.HostData)
-	dnsNames, ok := state.manifest.Policies[hostData]
+	entry, ok := state.manifest.Policies[hostData]
 	if !ok {
 		return fmt.Errorf("report data %s not found in manifest", hostData)
 	}
+	dnsNames := entry.SANs
 
 	peerPubKey, err := x509.ParsePKIXPublicKey(peerPubKeyBytes)
 	if err != nil {

coordinator/internal/authority/authority_test.go

@@ -82,7 +82,7 @@ func newManifest(t *testing.T) (*manifest.Manifest, []byte, [][]byte) {
 
 	mnfst, err := manifest.Default(platforms.AKSCloudHypervisorSNP)
 	require.NoError(t, err)
-	mnfst.Policies = map[manifest.HexString][]string{policyHashHex: {"test"}}
+	mnfst.Policies = map[manifest.HexString]manifest.PolicyEntry{policyHashHex: {SANs: []string{"test"}, WorkloadSecretID: "test2"}}
 	mnfst.WorkloadOwnerKeyDigests = []manifest.HexString{keyDigest}
 	mnfstBytes, err := json.Marshal(mnfst)
 	require.NoError(t, err)

coordinator/internal/authority/userapi_test.go

@@ -76,9 +76,9 @@ func TestManifestSet(t *testing.T) {
 		"request without policies": {
 			req: &userapi.SetManifestRequest{
 				Manifest: newManifestBytes(func(m *manifest.Manifest) {
-					m.Policies = map[manifest.HexString][]string{
-						manifest.HexString("a"): {"a1", "a2"},
-						manifest.HexString("b"): {"b1", "b2"},
+					m.Policies = map[manifest.HexString]manifest.PolicyEntry{
+						manifest.HexString("a"): {SANs: []string{"a1", "a2"}, WorkloadSecretID: "a3"},
+						manifest.HexString("b"): {SANs: []string{"b1", "b2"}, WorkloadSecretID: "b3"},
 					}
 				}),
 			},
@@ -87,9 +87,9 @@ func TestManifestSet(t *testing.T) {
 		"policy not in manifest": {
 			req: &userapi.SetManifestRequest{
 				Manifest: newManifestBytes(func(m *manifest.Manifest) {
-					m.Policies = map[manifest.HexString][]string{
-						manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"},
-						manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"},
+					m.Policies = map[manifest.HexString]manifest.PolicyEntry{
+						manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {SANs: []string{"a1", "a2"}, WorkloadSecretID: "a3"},
+						manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {SANs: []string{"b1", "b2"}, WorkloadSecretID: "b3"},
 					}
 				}),
 				Policies: [][]byte{
@@ -103,9 +103,9 @@ func TestManifestSet(t *testing.T) {
 		"valid manifest": {
 			req: &userapi.SetManifestRequest{
 				Manifest: newManifestBytes(func(m *manifest.Manifest) {
-					m.Policies = map[manifest.HexString][]string{
-						manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"},
-						manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"},
+					m.Policies = map[manifest.HexString]manifest.PolicyEntry{
+						manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {SANs: []string{"a1", "a2"}, WorkloadSecretID: "a3"},
+						manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {SANs: []string{"b1", "b2"}, WorkloadSecretID: "b3"},
 					}
 				}),
 				Policies: [][]byte{
@@ -167,9 +167,9 @@ func TestManifestSet(t *testing.T) {
 
 			req := &userapi.SetManifestRequest{
 				Manifest: newManifestBytes(func(m *manifest.Manifest) {
-					m.Policies = map[manifest.HexString][]string{
-						manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"},
-						manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"},
+					m.Policies = map[manifest.HexString]manifest.PolicyEntry{
+						manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {SANs: []string{"a1", "a2"}, WorkloadSecretID: "a3"},
+						manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {SANs: []string{"b1", "b2"}, WorkloadSecretID: "b3"},
 					}
 				}),
 				Policies: [][]byte{
@@ -226,9 +226,9 @@ func TestGetManifests(t *testing.T) {
 
 	m, err := manifest.Default(platforms.AKSCloudHypervisorSNP)
 	require.NoError(err)
-	m.Policies = map[manifest.HexString][]string{
-		manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"},
-		manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"},
+	m.Policies = map[manifest.HexString]manifest.PolicyEntry{
+		manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {SANs: []string{"a1", "a2"}, WorkloadSecretID: "a3"},
+		manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {SANs: []string{"b1", "b2"}, WorkloadSecretID: "b3"},
 	}
 	manifestBytes, err := json.Marshal(m)
 	require.NoError(err)
@@ -399,9 +399,9 @@ func TestUserAPIConcurrent(t *testing.T) {
 
 	setReq := &userapi.SetManifestRequest{
 		Manifest: newManifestBytes(func(m *manifest.Manifest) {
-			m.Policies = map[manifest.HexString][]string{
-				manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {"a1", "a2"},
-				manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {"b1", "b2"},
+			m.Policies = map[manifest.HexString]manifest.PolicyEntry{
+				manifest.HexString("ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"): {SANs: []string{"a1", "a2"}, WorkloadSecretID: "a3"},
+				manifest.HexString("3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d"): {SANs: []string{"b1", "b2"}, WorkloadSecretID: "b3"},
 			}
 		}),
 		Policies: [][]byte{

e2e/openssl/openssl_test.go

@@ -150,7 +150,9 @@ func TestOpenSSL(t *testing.T) {
 			require.NoError(json.Unmarshal(manifestBytes, &m))
 			// Add test domain name to first policy.
 			for policyHash := range m.Policies {
-				m.Policies[policyHash] = append(m.Policies[policyHash], fmt.Sprintf("test-%s", deploymentToRestart))
+				entry := m.Policies[policyHash]
+				entry.SANs = append(entry.SANs, fmt.Sprintf("test-%s", deploymentToRestart))
+				m.Policies[policyHash] = entry
 				break
 			}
 			manifestBytes, err = json.Marshal(m)

e2e/policy/policy_test.go

@@ -91,7 +91,7 @@ func TestPolicy(t *testing.T) {
 
 		// Remove a policy from the manifest.
 		for policyHash := range m.Policies {
-			if slices.Contains(m.Policies[policyHash], opensslFrontend) {
+			if slices.Contains(m.Policies[policyHash].SANs, opensslFrontend) {
 				delete(m.Policies, policyHash)
 			}
 		}

internal/manifest/manifest.go

@@ -16,12 +16,17 @@ import (
 // Manifest is the Coordinator manifest and contains the reference values of the deployment.
 type Manifest struct {
 	// policyHash/HOSTDATA -> commonName
-	Policies                map[HexString][]string
+	Policies                map[HexString]PolicyEntry
 	ReferenceValues         ReferenceValues
 	WorkloadOwnerKeyDigests []HexString
 	SeedshareOwnerPubKeys   []HexString
 }
 
+type PolicyEntry struct {
+	SANs             []string
+	WorkloadSecretID string
+}
+
 // HexStrings is a slice of HexString.
 type HexStrings []HexString
 

internal/manifest/manifest_test.go

@@ -84,14 +84,14 @@ func TestValidate(t *testing.T) {
 		},
 		{
 			m: &Manifest{
-				Policies:        map[HexString][]string{HexString(""): {}},
+				Policies:        map[HexString]PolicyEntry{HexString(""): {}},
 				ReferenceValues: mnf.ReferenceValues,
 			},
 			wantErr: true,
 		},
 		{
 			m: &Manifest{
-				Policies: map[HexString][]string{HexString(""): {}},
+				Policies: map[HexString]PolicyEntry{HexString(""): {}},
 				ReferenceValues: ReferenceValues{
 					AKS: &AKSReferenceValues{
 						SNP:                mnf.ReferenceValues.AKS.SNP,