treewide: change runtime-handler naming scheme

The Contrast runtime handlers are now named in the format `contrast-cc--<platform>-<hash>`, where `<hash>` is the hash of the relevant runtime components for platform and `<platform>` is the lowercase variant of the deployed platform.

cli/cmd/generate.go

@@ -116,7 +116,7 @@ func runGenerate(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	runtimeHandler, err := mnf.RuntimeHandler(flags.referenceValuesPlatform)
+	runtimeHandler, err := manifest.RuntimeHandler(flags.referenceValuesPlatform)
 	if err != nil {
 		return fmt.Errorf("get runtime handler: %w", err)
 	}

cli/main.go

@@ -13,7 +13,7 @@ import (
 	"text/tabwriter"
 
 	"github.com/edgelesssys/contrast/cli/cmd"
-	"github.com/edgelesssys/contrast/cli/constants"
+	"github.com/edgelesssys/contrast/internal/constants"
 	"github.com/edgelesssys/contrast/internal/manifest"
 	"github.com/spf13/cobra"
 )

cli/telemetry/telemetry.go

@@ -12,7 +12,7 @@ import (
 	"net/url"
 	"runtime"
 
-	"github.com/edgelesssys/contrast/cli/constants"
+	"github.com/edgelesssys/contrast/internal/constants"
 	"github.com/spf13/cobra"
 )
 

e2e/genpolicy/genpolicy_test.go

@@ -36,7 +36,7 @@ func TestGenpolicy(t *testing.T) {
 
 	testCases := kuberesource.GenpolicyRegressionTests()
 
-	runtimeHandler, err := manifest.DefaultPlatformHandler(platform)
+	runtimeHandler, err := manifest.RuntimeHandler(platform)
 	require.NoError(t, err)
 
 	for name, deploy := range testCases {

e2e/getdents/getdents_test.go

@@ -39,7 +39,7 @@ func TestGetDEnts(t *testing.T) {
 	// TODO(msanft): Make this configurable
 	platform := platforms.AKSCloudHypervisorSNP
 
-	runtimeHandler, err := manifest.DefaultPlatformHandler(platform)
+	runtimeHandler, err := manifest.RuntimeHandler(platform)
 	require.NoError(t, err)
 
 	resources := kuberesource.GetDEnts()

e2e/openssl/openssl_test.go

@@ -47,7 +47,7 @@ func TestOpenSSL(t *testing.T) {
 	// TODO(msanft): Make this configurable
 	platform := platforms.AKSCloudHypervisorSNP
 
-	runtimeHandler, err := manifest.DefaultPlatformHandler(platform)
+	runtimeHandler, err := manifest.RuntimeHandler(platform)
 	require.NoError(t, err)
 
 	resources := kuberesource.OpenSSL()

e2e/policy/policy_test.go

@@ -44,7 +44,7 @@ func TestPolicy(t *testing.T) {
 	// TODO(msanft): Make this configurable
 	platform := platforms.AKSCloudHypervisorSNP
 
-	runtimeHandler, err := manifest.DefaultPlatformHandler(platform)
+	runtimeHandler, err := manifest.RuntimeHandler(platform)
 	require.NoError(t, err)
 
 	resources := kuberesource.OpenSSL()

e2e/servicemesh/servicemesh_test.go

@@ -38,7 +38,7 @@ func TestIngressEgress(t *testing.T) {
 	// TODO(msanft): Make this configurable
 	platform := platforms.AKSCloudHypervisorSNP
 
-	runtimeHandler, err := manifest.DefaultPlatformHandler(platform)
+	runtimeHandler, err := manifest.RuntimeHandler(platform)
 	require.NoError(t, err)
 
 	resources := kuberesource.Emojivoto(kuberesource.ServiceMeshIngressEgress)

internal/kuberesource/parts.go

@@ -19,7 +19,7 @@ import (
 
 // ContrastRuntimeClass creates a new RuntimeClassConfig.
 func ContrastRuntimeClass(platform platforms.Platform) (*RuntimeClassConfig, error) {
-	runtimeHandler, err := manifest.DefaultPlatformHandler(platform)
+	runtimeHandler, err := manifest.RuntimeHandler(platform)
 	if err != nil {
 		return nil, fmt.Errorf("getting default runtime handler: %w", err)
 	}
@@ -45,7 +45,7 @@ type NodeInstallerConfig struct {
 func NodeInstaller(namespace string, platform platforms.Platform) (*NodeInstallerConfig, error) {
 	name := "contrast-node-installer"
 
-	runtimeHandler, err := manifest.DefaultPlatformHandler(platform)
+	runtimeHandler, err := manifest.RuntimeHandler(platform)
 	if err != nil {
 		return nil, fmt.Errorf("getting default runtime handler: %w", err)
 	}

internal/kuberesource/resourcegen/main.go

@@ -37,7 +37,7 @@ func main() {
 			log.Fatalf("Error parsing platform: %v", err)
 		}
 
-		runtimeHandler, err = manifest.DefaultPlatformHandler(platform)
+		runtimeHandler, err = manifest.RuntimeHandler(platform)
 		if err != nil {
 			log.Fatalf("Error getting default runtime handler: %v", err)
 		}

internal/manifest/assets/platform-runtime-mapping.json

@@ -0,0 +1 @@
+"THIS FILE IS REPLACED DURING BUILD AND ONLY HERE TO SATISFY GO TOOLING"

internal/manifest/referencevalues.go

@@ -11,11 +11,17 @@ import (
 	"strconv"
 )
 
-// EmbeddedReferenceValuesJSON contains the embedded reference values in JSON format.
-// At startup, they are unmarshaled into a globally-shared ReferenceValues struct.
-//
-//go:embed assets/reference-values.json
-var EmbeddedReferenceValuesJSON []byte
+var (
+	// EmbeddedPlatformRuntimeMappingJSON is a 1:1 mapping of platform names to their runtime component hashes.
+	//
+	//go:embed assets/platform-runtime-mapping.json
+	EmbeddedPlatformRuntimeMappingJSON []byte
+
+	// EmbeddedReferenceValuesJSON contains the embedded reference values in JSON format.
+	//
+	//go:embed assets/reference-values.json
+	EmbeddedReferenceValuesJSON []byte
+)
 
 // ReferenceValues contains the workload-independent reference values for each platform.
 type ReferenceValues struct {
@@ -25,6 +31,13 @@ type ReferenceValues struct {
 	BareMetalTDX *BareMetalTDXReferenceValues `json:"bareMetalTDX,omitempty"`
 }
 
+// PlatformRuntimeMapping is a 1:1 mapping of platform names to their runtime component hashes.
+type PlatformRuntimeMapping struct {
+	AKS          string `json:"aks,omitempty"`
+	BareMetalTDX string `json:"bareMetalTDX,omitempty"`
+	BareMetalSNP string `json:"bareMetalSNP,omitempty"`
+}
+
 // AKSReferenceValues contains reference values for AKS.
 type AKSReferenceValues struct {
 	SNP                SNPReferenceValues

internal/manifest/runtimehandler.go

@@ -0,0 +1,34 @@
+// Copyright 2024 Edgeless Systems GmbH
+// SPDX-License-Identifier: AGPL-3.0-only
+
+package manifest
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"github.com/edgelesssys/contrast/internal/platforms"
+)
+
+// RuntimeHandler returns the name of the runtime handler for the given platform.
+func RuntimeHandler(platform platforms.Platform) (string, error) {
+	var mapping PlatformRuntimeMapping
+	if err := json.Unmarshal(EmbeddedPlatformRuntimeMappingJSON, &mapping); err != nil {
+		return "", fmt.Errorf("unmarshal embedded platform handler mapping: %w", err)
+	}
+
+	var runtimeHash string
+	switch platform {
+	case platforms.AKSCloudHypervisorSNP:
+		runtimeHash = mapping.AKS
+	case platforms.RKE2QEMUTDX, platforms.K3sQEMUTDX:
+		runtimeHash = mapping.BareMetalTDX
+	case platforms.K3sQEMUSNP:
+		runtimeHash = mapping.BareMetalSNP
+	default:
+		return "", fmt.Errorf("unsupported platform %s", platform)
+	}
+
+	return fmt.Sprintf("contrast-cc-%s-%s", strings.ToLower(platform.String()), runtimeHash[:8]), nil
+}

internal/manifest/runtimehandler_test.go

@@ -0,0 +1,24 @@
+// Copyright 2024 Edgeless Systems GmbH
+// SPDX-License-Identifier: AGPL-3.0-only
+
+package manifest
+
+import (
+	"testing"
+
+	"github.com/edgelesssys/contrast/internal/platforms"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestRuntimeHandler(t *testing.T) {
+	require := require.New(t)
+	assert := assert.New(t)
+	for _, platform := range platforms.All() {
+		runtimeHandler, err := RuntimeHandler(platform)
+		require.NoError(err)
+		assert.NotEmpty(runtimeHandler)
+		assert.Less(len(runtimeHandler), 64, "runtime handler name can be 63 characters at most")
+		assert.Regexp(`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`, runtimeHandler, "runtimeHandlerName must be a lowercase RFC 1123 subdomain")
+	}
+}

nodeinstaller/internal/config/config.go

@@ -8,15 +8,12 @@ import (
 	"errors"
 	"net/url"
 	"path/filepath"
-	"regexp"
 )
 
 // Config is the configuration for the node-installer.
 type Config struct {
 	// Files is a list of files to download.
 	Files []File `json:"files"`
-	// RuntimeHandlerName is the name of the runtime handler (containerd runtime) to create.
-	RuntimeHandlerName string `json:"runtimeHandlerName"`
 	// DebugRuntime enables the debug mode of the runtime.
 	// This only works if the igvm file has shell access enabled
 	// and has no effect on production images.
@@ -25,19 +22,6 @@ type Config struct {
 
 // Validate validates the configuration.
 func (c Config) Validate() error {
-	if c.RuntimeHandlerName == "" {
-		return errors.New("runtimeHandlerName is required")
-	}
-	if len(c.RuntimeHandlerName) > 63 {
-		return errors.New("runtimeHandlerName must be 63 characters or fewer")
-	}
-	matched, err := regexp.Match(`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`, []byte(c.RuntimeHandlerName))
-	if err != nil {
-		return err
-	}
-	if !matched {
-		return errors.New("runtimeHandlerName must be a lowercase RFC 1123 subdomain")
-	}
 	for _, file := range c.Files {
 		if err := file.Validate(); err != nil {
 			return err

nodeinstaller/internal/config/config_test.go

@@ -23,7 +23,6 @@ func TestValidate(t *testing.T) {
 		{
 			name: "valid http File",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					URL:       "https://example.com/file1",
 					Path:      "/path/to/file1",
@@ -35,7 +34,6 @@ func TestValidate(t *testing.T) {
 		{
 			name: "valid file File",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					URL:       "file:////example.com/file1",
 					Path:      "/path/to/file1",
@@ -44,42 +42,9 @@ func TestValidate(t *testing.T) {
 			},
 			valid: true,
 		},
-		{
-			name: "missing RuntimeHandlerName",
-			config: Config{
-				Files: []File{{
-					URL:       "https://example.com/file1",
-					Path:      "/path/to/file1",
-					Integrity: "sha256-abcdef123456",
-				}},
-			},
-		},
-		{
-			name: "RuntimeHandlerName too long",
-			config: Config{
-				RuntimeHandlerName: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
-				Files: []File{{
-					URL:       "https://example.com/file1",
-					Path:      "/path/to/file1",
-					Integrity: "sha256-abcdef123456",
-				}},
-			},
-		},
-		{
-			name: "RuntimeHandlerName has invalid characters",
-			config: Config{
-				RuntimeHandlerName: "invalid name=",
-				Files: []File{{
-					URL:       "https://example.com/file1",
-					Path:      "/path/to/file1",
-					Integrity: "sha256-abcdef123456",
-				}},
-			},
-		},
 		{
 			name: "missing URL",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					Path:      "/path/to/file1",
 					Integrity: "sha256-abcdef123456",
@@ -89,7 +54,6 @@ func TestValidate(t *testing.T) {
 		{
 			name: "missing Path",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					URL:       "https://example.com/file1",
 					Integrity: "sha256-abcdef123456",
@@ -99,7 +63,6 @@ func TestValidate(t *testing.T) {
 		{
 			name: "missing relative path",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					URL:       "https://example.com/file1",
 					Path:      "path/to/file1",
@@ -110,7 +73,6 @@ func TestValidate(t *testing.T) {
 		{
 			name: "missing Integrity",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					URL:  "https://example.com/file1",
 					Path: "/path/to/file1",
@@ -120,7 +82,6 @@ func TestValidate(t *testing.T) {
 		{
 			name: "invalid URL",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					URL:       "invalid\x00url",
 					Path:      "/path/to/file1",
@@ -131,7 +92,6 @@ func TestValidate(t *testing.T) {
 		{
 			name: "invalid scheme",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					URL:       "ftp://example.com/file1",
 					Path:      "/path/to/file1",
@@ -142,7 +102,6 @@ func TestValidate(t *testing.T) {
 		{
 			name: "invalid Integrity algorithm",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					URL:       "https://example.com/file1",
 					Path:      "/path/to/file1",
@@ -153,7 +112,6 @@ func TestValidate(t *testing.T) {
 		{
 			name: "invalid Integrity value",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					URL:       "https://example.com/file1",
 					Path:      "/path/to/file1",