Skip to content

Commit

Permalink
Support for IBM SE
Browse files Browse the repository at this point in the history
New option in the KbsConfig for attaching to a PersistedVolumeClaim.
The volume should be created manually by admin and it contains all
the required IBM certificates and keys.

Signed-off-by: Leonardo Milleri <[email protected]>
  • Loading branch information
lmilleri committed Jul 26, 2024
1 parent c18937f commit 9fa47b0
Show file tree
Hide file tree
Showing 15 changed files with 254 additions and 2 deletions.
23 changes: 21 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,17 @@ type KbsConfigSpec struct {
// tdxConfigSpec is the struct that hosts the TDX specific configuration
// +optional
TdxConfigSpec TdxConfigSpec `json:"tdxConfigSpec,omitempty"`

// ibmSEConfigSpec is the struct that hosts the IBMSE specific configuration
// +optional
IbmSEConfigSpec IbmSEConfigSpec `json:"ibmSEConfigSpec,omitempty"`
}

// IbmSEConfigSpec defines the desired state for IBMSE configuration
type IbmSEConfigSpec struct {
// certStorePvc is the name of the PeristentVolumeClaim where certificates/keys are mounted
// +optional
CertStorePvc string `json:"certStorePvc,omitempty"`
}

// TdxConfigSpec defines the desired state for TDX configuration
Expand Down Expand Up @@ -156,8 +167,12 @@ spec:
kbsSecretResources: ["kbsres1"]
# Resource policy
kbsResourcePolicyConfigMapName: resource-policy
# TDX configuration file
kbsTdxConfigMapName: tdx-config
# TDX settings
tdxConfigSpec:
kbsTdxConfigMapName: tdx-config-sample
# IBMSE settings
ibmSEConfigSpec:
certStorePvc: ibmse-pvc
```

## Getting Started
Expand Down Expand Up @@ -241,6 +256,10 @@ You’ll need a Kubernetes cluster to run against. You can use [KIND](https://si
```

It is also possible to create the K8s secrets (a commented out example is provided in the [kustomization.yaml](config/samples/microservices/kustomization.yaml)). To enable the secrets you'd need to uncomment the relevant secret generator entry and patch.

### IBM Secure Execution

For IBM SE specific configuration, please refer to [ibmse.md](docs/ibmse.md).

### Uninstall CRDs

Expand Down
11 changes: 11 additions & 0 deletions api/v1alpha1/kbsconfig_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,13 @@ type TdxConfigSpec struct {
KbsTdxConfigMapName string `json:"kbsTdxConfigMapName,omitempty"`
}

// IbmSEConfigSpec defines the desired state for IBMSE configuration
type IbmSEConfigSpec struct {
// certStorePvc is the name of the PeristentVolumeClaim where certificates/keys are mounted
// +optional
CertStorePvc string `json:"certStorePvc,omitempty"`
}

// KbsConfigSpec defines the desired state of KbsConfig
type KbsConfigSpec struct {
// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
Expand Down Expand Up @@ -98,6 +105,10 @@ type KbsConfigSpec struct {
// tdxConfigSpec is the struct that hosts the TDX specific configuration
// +optional
TdxConfigSpec TdxConfigSpec `json:"tdxConfigSpec,omitempty"`

// ibmSEConfigSpec is the struct that hosts the IBMSE specific configuration
// +optional
IbmSEConfigSpec IbmSEConfigSpec `json:"ibmSEConfigSpec,omitempty"`
}

// KbsConfigStatus defines the observed state of KbsConfig
Expand Down
16 changes: 16 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 9 additions & 0 deletions bundle/manifests/confidentialcontainers.org_kbsconfigs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,15 @@ spec:
spec:
description: KbsConfigSpec defines the desired state of KbsConfig
properties:
ibmSEConfigSpec:
description: ibmSEConfigSpec is the struct that hosts the IBMSE specific
configuration
properties:
certStorePvc:
description: certStorePvc is the name of the PeristentVolumeClaim
where certificates/keys are mounted
type: string
type: object
kbsAsConfigMapName:
description: |-
KbsAsConfigMapName is the name of the configmap that contains the KBS AS configuration
Expand Down
9 changes: 9 additions & 0 deletions config/crd/bases/confidentialcontainers.org_kbsconfigs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,15 @@ spec:
spec:
description: KbsConfigSpec defines the desired state of KbsConfig
properties:
ibmSEConfigSpec:
description: ibmSEConfigSpec is the struct that hosts the IBMSE specific
configuration
properties:
certStorePvc:
description: certStorePvc is the name of the PeristentVolumeClaim
where certificates/keys are mounted
type: string
type: object
kbsAsConfigMapName:
description: |-
KbsAsConfigMapName is the name of the configmap that contains the KBS AS configuration
Expand Down
19 changes: 19 additions & 0 deletions config/samples/all-in-one/ibmse-pv.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: ibmse-pv
namespace: kbs-operator-system
spec:
capacity:
storage: 100Mi
accessModes:
- ReadOnlyMany
storageClassName: ""
local:
path: /opt/confidential-containers/ibmse
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/worker
operator: Exists
12 changes: 12 additions & 0 deletions config/samples/all-in-one/ibmse-pvc.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ibmse-pvc
namespace: kbs-operator-system
spec:
accessModes:
- ReadOnlyMany
storageClassName: ""
resources:
requests:
storage: 100Mi
2 changes: 2 additions & 0 deletions config/samples/all-in-one/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,6 @@ resources:
- rvps-reference-values.yaml
- resource-policy.yaml
- tdx-config.yaml
- ibmse-pv.yaml
- ibmse-pvc.yaml
#+kubebuilder:scaffold:manifestskustomizesamples
19 changes: 19 additions & 0 deletions config/samples/microservices/ibmse-pv.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: ibmse-pv
namespace: kbs-operator-system
spec:
capacity:
storage: 100Mi
accessModes:
- ReadOnlyMany
storageClassName: ""
local:
path: /opt/confidential-containers/ibmse
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/worker
operator: Exists
12 changes: 12 additions & 0 deletions config/samples/microservices/ibmse-pvc.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ibmse-pvc
namespace: kbs-operator-system
spec:
accessModes:
- ReadOnlyMany
storageClassName: ""
resources:
requests:
storage: 100Mi
2 changes: 2 additions & 0 deletions config/samples/microservices/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,6 @@ resources:
- rvps-reference-values.yaml
- resource-policy.yaml
- tdx-config.yaml
- ibmse-pv.yaml
- ibmse-pvc.yaml
#+kubebuilder:scaffold:manifestskustomizesamples
95 changes: 95 additions & 0 deletions docs/ibmse.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
# IBM Secure Execution (SE)

## Download certificate and keys

In order to Trustee to work properly with IBM SE, a directory containing certificates and keys needs to be mounted in the trustee pod file system.
More information about the IBM download process can be found [here](https://github.com/confidential-containers/trustee/blob/main/deps/verifier/src/se/README.md#download-certs-crls).

By the end of the aforementioned procedure, you should end up having a directory like the following:

```
├── certs
│ ├── ibm-z-host-key-signing-gen2.crt
| └── DigiCertCA.crt
├── crls
│ └── ibm-z-host-key-gen2.crl
│ └── DigiCertTrustedRootG4.crl
│ └── DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
├── hdr
│ └── hdr.bin
├── hkds
│ └── HKD-3931-0275D38.crt
└── rsa
├── encrypt_key.pem
└── encrypt_key.pub
```

## Persistent Volume creation

For mounting the above directory to the trustee pod filesystem, we'd need to create a Persistent Volume (PV) and a Persistent Volume Claim (PVC).
The configuration of PV/PVC is deployment specific (e.g. dependent on cloud provider), so it is not reported here in this guide.

In a development environment, you may want to create a PV/PVC that makes use of a local directory. This approach is not recommended for production environments:

PersistentVolume:

```yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: ibmse-pv
namespace: kbs-operator-system
spec:
capacity:
storage: 100Mi
accessModes:
- ReadOnlyMany
storageClassName: ""
local:
path: /opt/confidential-containers/ibmse
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/worker
operator: Exists
```
Note: the `path` has to match a local directory on the worker node.

PersistentVolumeClaim:

```yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ibmse-pvc
namespace: kbs-operator-system
spec:
accessModes:
- ReadOnlyMany
storageClassName: ""
resources:
requests:
storage: 100Mi
```

## KBS config CRD

For enabling IBM specific configuration in trustee pod, the `KbsConfig` custom resource should have the `ibmSEConfigSpec` section populated as in the following example:

```yaml
apiVersion: confidentialcontainers.org/v1alpha1
kind: KbsConfig
metadata:
name: kbsconfig-sample
namespace: kbs-operator-system
spec:
# omitted all the rest of config
# ...
# IBMSE settings
ibmSEConfigSpec:
certStorePvc: ibmse-pvc
```

The `certStorePvc` has to match the aforementioned PVC name.
3 changes: 3 additions & 0 deletions internal/controller/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,9 @@ const (

// TDX config file
tdxConfigFile = "sgx_default_qcnl.conf"

// IBM SE path
ibmSePath = "/run/confidential-containers/ibmse/"
)

func contains(list []string, s string) bool {
Expand Down
11 changes: 11 additions & 0 deletions internal/controller/kbsconfig_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -380,6 +380,17 @@ func (r *KbsConfigReconciler) newKbsDeployment(ctx context.Context) (*appsv1.Dep
kbsVM = append(kbsVM, volumeMount)
}

// IBMSE specific configuration
if r.kbsConfig.Spec.IbmSEConfigSpec.CertStorePvc != "" {
volume, err := r.createPVCVolume(ctx, r.kbsConfig.Spec.IbmSEConfigSpec.CertStorePvc)
if err != nil {
return nil, err
}
volumeMount = createVolumeMount(volume.Name, ibmSePath)
volumes = append(volumes, *volume)
kbsVM = append(kbsVM, volumeMount)
}

// auth-secret
volume, err = r.createSecretVolume(ctx, "auth-secret", r.kbsConfig.Spec.KbsAuthSecretName)
if err != nil {
Expand Down
13 changes: 13 additions & 0 deletions internal/controller/volumes.go
Original file line number Diff line number Diff line change
Expand Up @@ -132,3 +132,16 @@ func createVolumeMountWithSubpath(volumeName string, mountPath string, subPath s
SubPath: subPath,
}
}

func (r *KbsConfigReconciler) createPVCVolume(ctx context.Context, volumeName string) (*corev1.Volume, error) {
volume := corev1.Volume{
Name: volumeName,
VolumeSource: corev1.VolumeSource{
PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
ClaimName: volumeName,
ReadOnly: true,
},
},
}
return &volume, nil
}

0 comments on commit 9fa47b0

Please sign in to comment.