Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dynamic container image registry authentication to use new method #1119

Closed
stevenhorsman opened this issue Jun 23, 2023 · 7 comments
Closed

Update dynamic container image registry authentication to use new method #1119

stevenhorsman opened this issue Jun 23, 2023 · 7 comments
Assignees
@bpradipt

Comments

@stevenhorsman
Copy link
Member

We currently have a system, as documented in https://github.com/confidential-containers/cloud-api-adaptor/blob/main/docs/registries-authentication.md, and that lets a user set auth.json secrets in their kustomize overlay and then base64 encodes that files content and add it to /etc/aa-offline_fs_kbc-resources.json so that it can get picked up by the offline_fs_kbc module of the attestation-agent. This means that in order to use this functionality the 'main' attestation-agent built into the podvm has to be configured to use offline_fs_kbc

Recently in kata-containers/kata-containers#6707, support has been added for overriding the default path used for credentials (and signature and policy info) so that rather than using the kbs, if can be read directly from the file, by setting the image_registry_auth_file parameter. So in theory we could update the logic that currently encoded and adds the auth.json into /etc/aa-offline_fs_kbc-resources.json to instead write it somewhere like /etc/auth.json and then add image_registry_auth_file=file:///etc/auth.json into the agent-config.toml and we'd not longer have the offline_fs_kbc requirement on the registry credentials feature (note we'd still need an attestation-agent running I'd guess).

We'd then be free to update the podvm built attestation-agent to use a remote module (e.g. cc_kbc) if that suited.

Note: this hasn't currently been tested in kata-containers until kata-containers/tests#5688 is implemented and I might have got some of the details wrong.
@stevenhorsman
Copy link
Member Author

cc @mkulke, @snir911 - I think this might be interesting to you?

@mkulke
Copy link
Collaborator

mkulke commented Jun 23, 2023

sounds like a good option 👍

@bpradipt
Copy link
Member

nice.. This will avoid us having two AA builds for some use cases

@bpradipt
Copy link
Member

bpradipt commented Aug 1, 2023

Just checking if anyone has started working on this one ?

@bpradipt
Copy link
Member

As mentioned in the community call today, I have started working on this issue.

@bpradipt bpradipt self-assigned this Sep 13, 2023
@bpradipt
Copy link
Member

I tried this approach and it seems to work. Changes are in https://github.com/bpradipt/cloud-api-adaptor/tree/aws-snp-misc

While implementing a question came to my mind:

Are the two approaches of providing userdata - one via config-drive attachment and another via metadata service same from security stand point? Is any particular approach relatively more secure than the other ?

@stevenhorsman @mkulke @katexochen and others would you have some insights ?

@mkulke
Copy link
Collaborator

mkulke commented Sep 14, 2023
edited
Loading

I raised a related issue on kata-containers, which will force us to use bogus auth.json files, if we we use cc_kbc: kata-containers/kata-containers#7935

bpradipt added a commit to bpradipt/cloud-api-adaptor that referenced this issue Sep 16, 2023
@bpradipt
cloud: Add registry auth json to userdata
c41b472 
This patch makes the auth json used for container registry available via
userdata. There are two parts of the change.
Part-1 is for CAA, to add the auth json to the daemon config
Part-2 is for the process-user-data command to process the auth json and
update the kata agent-config toml to refer to the auth json file

Fixes: confidential-containers#1119
Signed-off-by: Pradipta Banerjee <[email protected]>
bpradipt added a commit to bpradipt/cloud-api-adaptor that referenced this issue Sep 16, 2023
@bpradipt
cloud: Add registry auth json to userdata
1c79cc7 
This patch makes the auth json used for container registry available via
userdata. There are two parts of the change.
Part-1 is for CAA, to add the auth json to the daemon config
Part-2 is for the process-user-data command to process the auth json and
update the kata agent-config toml to refer to the auth json file

Fixes: confidential-containers#1119
Signed-off-by: Pradipta Banerjee <[email protected]>
bpradipt added a commit to bpradipt/cloud-api-adaptor that referenced this issue Sep 16, 2023
@bpradipt
cloud: Add registry auth json to userdata
5c85948 
This patch makes the auth json used for container registry available via
userdata. There are two parts of the change.
Part-1 is for CAA, to add the auth json to the daemon config

Part-2 is for the process-user-data command to process the auth json and
update the kata agent-config toml to refer to the auth json file
depending on the type of kbc used - offline_kbc or cc_kbc

offline_kbc and cc_kbc expects the container registry auth to be
provided in its own unique way.

Fixes: confidential-containers#1119
Signed-off-by: Pradipta Banerjee <[email protected]>
bpradipt added a commit to bpradipt/cloud-api-adaptor that referenced this issue Sep 20, 2023
@bpradipt
cloud: Add registry auth json to userdata
99913b2 
This patch makes the auth json used for container registry available via
userdata. There are two parts of the change.
Part-1 is for CAA, to add the auth json to the daemon config

Part-2 is for the process-user-data command to process the auth json and
update the kata agent-config toml to refer to the auth json file
depending on the type of kbc used - offline_kbc or cc_kbc

offline_kbc and cc_kbc expects the container registry auth to be
provided in its own unique way.

Fixes: confidential-containers#1119
Signed-off-by: Pradipta Banerjee <[email protected]>
bpradipt added a commit to bpradipt/cloud-api-adaptor that referenced this issue Sep 20, 2023
@bpradipt
cloud: Add registry auth json to userdata
e6a613a 
This patch makes the auth json used for container registry available via
userdata. There are two parts of the change.
Part-1 is for CAA, to add the auth json to the daemon config

Part-2 is for the process-user-data command to process the auth json and
update the kata agent-config toml to refer to the auth json file

Fixes: confidential-containers#1119
Signed-off-by: Pradipta Banerjee <[email protected]>
bpradipt added a commit to bpradipt/cloud-api-adaptor that referenced this issue Sep 20, 2023
@bpradipt
cloud: Add registry auth json to userdata
4e1af63 
This patch makes the auth json used for container registry available via
userdata. There are two parts of the change.
Part-1 is for CAA, to add the auth json to the daemon config

Part-2 is for the process-user-data command to process the auth json and
update the kata agent-config toml to refer to the auth json file

Fixes: confidential-containers#1119
Signed-off-by: Pradipta Banerjee <[email protected]>
lysliu pushed a commit to lysliu/cloud-api-adaptor that referenced this issue Nov 9, 2023
@bpradipt
cloud: Add registry auth json to userdata
4e83e7f 
This patch makes the auth json used for container registry available via
userdata. There are two parts of the change.
Part-1 is for CAA, to add the auth json to the daemon config

Part-2 is for the process-user-data command to process the auth json and
update the kata agent-config toml to refer to the auth json file

Fixes: confidential-containers#1119
Signed-off-by: Pradipta Banerjee <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bpradipt bpradipt

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mkulke @bpradipt @stevenhorsman