Add nebula_ca plugin #539
Open
Add nebula_ca plugin #539
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The plugin can create a Nebula certificate authority to provide
credentials for CoCo PODs (or VMs) that want to join a Nebula encrypted
overlay network. A credential is provided only for attested CoCo PODs.
The steps below can be used to build and start trustee with support for
the 'nebula-ca' plugin. The first step builds the KBS with the
'nebula-ca' cargo feature enabled. The second step configures the
plugin as explained in the kbs/docs/config.md.
$ docker compose build --build-arg NEBULA_CA=true
$ cat >> kbs/config/docker-compose/kbs-config.toml << EOF
[[plugins]]
name = "nebula-ca"
nebula_cert_bin_path = "/usr/local/bin/nebula-cert"
work_dir = "/opt/confidential-containers/kbs/nebula-ca"
[plugins.self_signed_ca]
name = "Nebula CA for Trustee KBS"
EOF
$ docker compose up
The nebula-ca is a self signed certificate authority. When the plugin is
started, it will create the CA key and certificate based on the
configuration provided in the kbs-config.toml file, unless the
${work_dir}/ca/ca.{key,crt} already exists.
A credential can be requested via GET /kbs/v0/nebula-ca/credential.
Additional parameters can be provided via query string:
/// Required: name of the cert, usually hostname or podname
name: String,
/// Required: IPv4 address and network in CIDR notation to assign the cert
ip: String,
/// Optional: how long the cert should be valid for.
/// The default is 1 second before the signing cert expires.
/// Valid time units are seconds: "s", minutes: "m", hours: "h".
duration: Option<String>,
/// Optional: comma separated list of groups.
groups: Option<String>,
/// Optional: comma separated list of ipv4 address and network in CIDR notation.
/// Subnets this cert can serve for
subnets: Option<String>,
For example, the GET below provides two required parameters via query
string: name and IP address (CIDR notation). Other examples can be found
in the unit test cases defined in the nebula_ca.rs file.
GET /kbs/v0/nebula-ca/credential?name=podA&ip=10.9.8.2/21
Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
cclaudio
force-pushed
the
nebula-plugin
branch
from
4359304 to
a48c6de
Compare
|
This PR is ready for review. I updated the PR description with the steps to build and test it. |
portersrc
approved these changes
Jan 9, 2025
There was a problem hiding this comment.
lgtm
I review this by going through the code and looking for bugs -- I didn't spot anything.
I also tried to build and run. docker compose up fails for me but for reasons unrelated to your work, I think. If you eventually lift those instructions and put them in docs or a tutorial, we can add some more details.
fitzthum
reviewed
Jan 9, 2025
| | Property | Type | Description | Required | Example | | ||
| |------------------------|--------|-----------------------------------|----------|-----------------------------------------------------| | ||
| | `nebula_cert_bin_path` | String | nebula-cert binary path | Yes | `/usr/local/bin/nebula-cert` | | ||
| | `work_dir` | String | This plugin work directory, it requires `rw` permission | Yes | `/opt/confidential-containers/kbs/nebula-ca` | |
There was a problem hiding this comment.
Do these need to be required? It seems like we could have default values for both parameters.
|
|
||
| | Property | Type | Description | Required | Default | Example | | ||
| |---------------------|---------|-----------------------------------|----------|-----------------------------------------------------| | ||
| | `name` | String | Name of the certificate authority | Yes | | `Nebula Ca for Trustee KBS` | |
There was a problem hiding this comment.
This also seems like it could have a default value
| } | ||
| if let Some(value) = &ca.subnets { | ||
| args.extend_from_slice(&["-subnets".into(), value.into()]); | ||
| } |
There was a problem hiding this comment.
You might be able to use a macro to make this a little less repetitive.
| @@ -33,6 +33,9 @@ aliyun = ["kms/aliyun"] | |||
| # Use pkcs11 resource backend to store secrets in an HSM | |||
| pkcs11 = ["cryptoki"] | |||
|
|
|||
| # Use Nebula CA to provide credentials for nodes (pods) to join a Nebula overlay network | |||
| nebula-ca = [] | |||
There was a problem hiding this comment.
maybe we should have a convention for features that enable plugins. we could call this nebula-ca-plugin for instance
There was a problem hiding this comment.
I agree and I like nebula-ca-plugin
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds the nebula_ca plugin.
How to build it
The first step builds trustee with the 'nebula-ca' cargo feature enabled.
The second step configures the plugin as explained in the kbs/docs/config.md.
The third step runs all trustee components.
$ docker compose build --build-arg NEBULA_CA=true $ cat >> kbs/config/docker-compose/kbs-config.toml << EOF [[plugins]] name = "nebula-ca" nebula_cert_bin_path = "/usr/local/bin/nebula-cert" work_dir = "/opt/confidential-containers/kbs/nebula-ca" [plugins.self_signed_ca] name = "Nebula CA for Trustee KBS" EOF $ docker compose upHow to test it
Ultimately, the plugin will be called from the CDH (confidential-containers/guest-components#763). In the meantime, we can use the kbs-client to test it.
You will need the kbs-client patch (or hack :-D) available in the branch https://github.com/cclaudio/trustee/tree/nebula-ca-plugin-test to build the kbs-client and test the plugin.
With that patch applied or the entire branch cloned, build the kbs-client:
Assuming the trustee is already running, request a credential to the nebula-ca plugin:
That should return a Credential structure like:
{ "node_crt":[45,45,45,45,45,66,69,71,73,78,32,78,69,66,85,76,65,32,67,69,82,84,73,70,73,67,65,84,69,45,45,45,45,45,10,67,110,85,75,66,72,66,118,90,69,69,83,67,89,75,81,112,70,67,65,56,80,47,47,68,120,111,83,103,73,67,73,67,73,68,119,47,47,56,80,103,73,67,73,67,73,68,119,47,47,56,80,75,76,80,47,43,55,115,71,77,76,88,80,10,120,115,99,71,79,105,68,48,99,57,104,75,115,99,73,119,69,84,116,118,74,54,48,99,53,122,119,69,104,119,101,49,48,74,55,111,73,55,111,101,117,68,102,97,77,89,117,87,67,85,111,103,76,70,48,75,99,85,79,112,81,73,114,106,10,110,74,51,101,72,116,68,120,103,84,67,68,69,54,116,106,76,82,50,87,111,90,98,54,103,53,50,89,71,56,85,83,81,70,118,115,85,87,69,89,83,108,83,110,88,97,53,102,48,52,88,78,82,67,109,88,84,85,66,122,51,73,90,67,10,86,121,120,86,88,68,101,50,85,70,84,76,72,105,83,82,121,82,112,69,48,82,122,97,51,100,107,113,117,70,118,106,52,70,83,70,88,72,70,80,89,122,108,107,79,104,43,107,106,90,108,121,83,103,65,61,10,45,45,45,45,45,69,78,68,32,78,69,66,85,76,65,32,67,69,82,84,73,70,73,67,65,84,69,45,45,45,45,45,10], "node_key":[45,45,45,45,45,66,69,71,73,78,32,78,69,66,85,76,65,32,88,50,53,53,49,57,32,80,82,73,86,65,84,69,32,75,69,89,45,45,45,45,45,10,104,74,67,43,105,85,86,56,113,109,122,85,105,57,75,87,118,73,110,83,110,114,53,65,104,108,80,43,108,52,118,70,105,69,117,101,84,77,76,47,73,76,111,61,10,45,45,45,45,45,69,78,68,32,78,69,66,85,76,65,32,88,50,53,53,49,57,32,80,82,73,86,65,84,69,32,75,69,89,45,45,45,45,45,10], "ca_crt":[45,45,45,45,45,66,69,71,73,78,32,78,69,66,85,76,65,32,67,69,82,84,73,70,73,67,65,84,69,45,45,45,45,45,10,67,107,115,75,71,85,53,108,89,110,86,115,89,83,66,68,81,83,66,109,98,51,73,103,86,72,74,49,99,51,82,108,90,83,66,76,81,108,77,111,116,117,106,66,117,65,89,119,116,115,47,71,120,119,89,54,73,79,48,86,104,52,122,84,10,83,81,121,52,108,117,54,105,122,68,98,72,102,114,72,122,65,69,117,66,120,112,108,53,88,70,65,102,115,114,47,108,85,88,98,105,81,65,69,83,81,77,77,99,108,110,105,101,117,84,100,98,97,55,56,48,80,102,82,76,101,109,77,117,10,104,90,73,89,69,50,89,97,86,112,100,105,105,72,50,75,119,81,87,43,54,113,112,89,115,105,113,119,66,98,106,53,85,72,56,100,116,114,78,101,49,43,90,122,75,86,69,76,74,65,109,80,115,79,83,105,89,84,100,115,71,81,103,61,10,45,45,45,45,45,69,78,68,32,78,69,66,85,76,65,32,67,69,82,84,73,70,73,67,65,84,69,45,45,45,45,45,10] }