Merge pull request #105 from lmilleri/extend-cert-cache

Extend the KbsLocalCertCacheSpec structure

Author: lmilleri

api/v1alpha1/kbsconfig_types.go

@@ -50,14 +50,21 @@ type IbmSEConfigSpec struct {
 	CertStorePvc string `json:"certStorePvc,omitempty"`
 }
 
-// KbsLocalCertCacheSpec defines the configuration for mounting local certificates into trustee file system
-type KbsLocalCertCacheSpec struct {
+// KbsLocalCertCacheEntry defines a single certificate cache entry with secret and mount path
+type KbsLocalCertCacheEntry struct {
 	// SecretName is the name of the secret that maps to a local directory containing the certificates
-	// +optional
-	SecretName string `json:"secretName,omitempty"`
+	SecretName string `json:"secretName"`
 	// MountPath is the destination path in the trustee file system
+	// The default path is "/etc/kbs/certs" if not specified by the user
+	// +optional
+	MountPath string `json:"mountPath"`
+}
+
+// KbsLocalCertCacheSpec defines the configuration for mounting local certificates into trustee file system
+type KbsLocalCertCacheSpec struct {
+	// Secrets is a list of certificate cache entries, each containing a secret name and mount path
 	// +optional
-	MountPath string `json:"mountPath,omitempty"`
+	Secrets []KbsLocalCertCacheEntry `json:"secrets,omitempty"`
 }
 
 // KbsDeploymentSpec defines the configuration for trustee deployment

api/v1alpha1/zz_generated.deepcopy.go

@@ -106,14 +106,26 @@ spec:
                 description: KbsLocalCertCacheSpec is the struct for mounting local
                   certificates into trustee file system
                 properties:
-                  mountPath:
-                    description: MountPath is the destination path in the trustee
-                      file system
-                    type: string
-                  secretName:
-                    description: SecretName is the name of the secret that maps to
-                      a local directory containing the certificates
-                    type: string
+                  secrets:
+                    description: Secrets is a list of certificate cache entries, each
+                      containing a secret name and mount path
+                    items:
+                      description: KbsLocalCertCacheEntry defines a single certificate
+                        cache entry with secret and mount path
+                      properties:
+                        mountPath:
+                          description: |-
+                            MountPath is the destination path in the trustee file system
+                            The default path is "/etc/kbs/certs" if not specified by the user
+                          type: string
+                        secretName:
+                          description: SecretName is the name of the secret that maps
+                            to a local directory containing the certificates
+                          type: string
+                      required:
+                      - secretName
+                      type: object
+                    type: array
                 type: object
               kbsResourcePolicyConfigMapName:
                 description: KbsResourcePolicyConfigMapName is the name of the configmap

bundle/manifests/confidentialcontainers.org_kbsconfigs.yaml

@@ -106,14 +106,26 @@ spec:
                 description: KbsLocalCertCacheSpec is the struct for mounting local
                   certificates into trustee file system
                 properties:
-                  mountPath:
-                    description: MountPath is the destination path in the trustee
-                      file system
-                    type: string
-                  secretName:
-                    description: SecretName is the name of the secret that maps to
-                      a local directory containing the certificates
-                    type: string
+                  secrets:
+                    description: Secrets is a list of certificate cache entries, each
+                      containing a secret name and mount path
+                    items:
+                      description: KbsLocalCertCacheEntry defines a single certificate
+                        cache entry with secret and mount path
+                      properties:
+                        mountPath:
+                          description: |-
+                            MountPath is the destination path in the trustee file system
+                            The default path is "/etc/kbs/certs" if not specified by the user
+                          type: string
+                        secretName:
+                          description: SecretName is the name of the secret that maps
+                            to a local directory containing the certificates
+                          type: string
+                      required:
+                      - secretName
+                      type: object
+                    type: array
                 type: object
               kbsResourcePolicyConfigMapName:
                 description: KbsResourcePolicyConfigMapName is the name of the configmap

config/crd/bases/confidentialcontainers.org_kbsconfigs.yaml

@@ -32,8 +32,35 @@ spec:
   # omitted all the rest of config
   # ...
   kbsLocalCertCacheSpec:
-    secretName: vcek-secret
-    mountPath: "/etc/kbs/snp/ek"
+    secrets:
+    - secretName: vcek-secret
+      mountPath: "/etc/kbs/snp/ek"
 ```
 
-The `VCEK.crt` certificate will be mounted in the trustee `mountPath` directoty.
+The `VCEK.crt` certificate will be mounted in the trustee `mountPath` directory.
+The `mountPath` directory defaults to `/etc/kbs/certs` if not provided by the user.
+
+### Multiple Certificates
+
+You can also mount multiple certificate secrets by adding more entries to the `secrets` list:
+
+```yaml
+apiVersion: confidentialcontainers.org/v1alpha1
+kind: KbsConfig
+metadata:  
+  name: kbsconfig-sample
+  namespace: trustee-operator-system
+spec:
+  # omitted all the rest of config
+  # ...
+  kbsLocalCertCacheSpec:
+    secrets:
+    - secretName: vcek-milan
+      mountPath: "/etc/kbs/snp/ek/milan"
+    - secretName: vcek-genoa
+      mountPath: "/etc/kbs/snp/ek/genoa"
+    - secretName: vcek-turin
+      mountPath: "/etc/kbs/snp/ek/turin"
+```
+
+Each secret will be mounted to its specified `mountPath` in the trustee file system.

docs/disconnected.md

@@ -76,6 +76,9 @@ const (
 
 	// default attestation policy filename for cpu
 	defaultAttestationCpuPolicy = "default_cpu.rego"
+
+	// default directory for locally cached certificates
+	kbsDefaultLocalCacheDir = "/etc/kbs/certs"
 )
 
 func contains(list []string, s string) bool {

internal/controller/common.go

@@ -420,14 +420,17 @@ func (r *KbsConfigReconciler) newKbsDeployment(ctx context.Context) (*appsv1.Dep
 	volumeMount = createVolumeMount(volume.Name, filepath.Join(kbsDefaultConfigPath, volume.Name))
 	kbsVM = append(kbsVM, volumeMount)
 
-	// Mount local directory into a secret
-	if r.kbsConfig.Spec.KbsLocalCertCacheSpec.SecretName != "" {
-		volume, err = r.createSecretVolume(ctx, r.kbsConfig.Spec.KbsLocalCertCacheSpec.SecretName, r.kbsConfig.Spec.KbsLocalCertCacheSpec.SecretName)
+	// Mount local directories into secrets
+	for _, certCacheEntry := range r.kbsConfig.Spec.KbsLocalCertCacheSpec.Secrets {
+		volume, err = r.createSecretVolume(ctx, certCacheEntry.SecretName, certCacheEntry.SecretName)
 		if err != nil {
 			return nil, err
 		}
 		volumes = append(volumes, *volume)
-		volumeMount = createVolumeMount(volume.Name, r.kbsConfig.Spec.KbsLocalCertCacheSpec.MountPath)
+		if certCacheEntry.MountPath == "" {
+			certCacheEntry.MountPath = kbsDefaultLocalCacheDir
+		}
+		volumeMount = createVolumeMount(volume.Name, certCacheEntry.MountPath)
 		kbsVM = append(kbsVM, volumeMount)
 	}
 
@@ -802,11 +805,21 @@ func secretToKbsConfigMapper(c client.Client, log logr.Logger) (handler.MapFunc,
 
 		var requests []reconcile.Request
 		for _, kbsConfig := range kbsConfigList.Items {
-			if kbsConfig.Spec.KbsAuthSecretName == secret.Name ||
-				kbsConfig.Spec.KbsLocalCertCacheSpec.SecretName == secret.Name ||
+			// Check if secret matches any of the known secret references
+			secretMatches := kbsConfig.Spec.KbsAuthSecretName == secret.Name ||
 				kbsConfig.Spec.KbsHttpsKeySecretName == secret.Name ||
 				kbsConfig.Spec.KbsHttpsCertSecretName == secret.Name ||
-				kbsConfig.Spec.KbsSecretResources != nil && contains(kbsConfig.Spec.KbsSecretResources, secret.Name) {
+				(kbsConfig.Spec.KbsSecretResources != nil && contains(kbsConfig.Spec.KbsSecretResources, secret.Name))
+
+			// Check if secret matches any of the local cert cache secrets
+			for _, certCacheEntry := range kbsConfig.Spec.KbsLocalCertCacheSpec.Secrets {
+				if certCacheEntry.SecretName == secret.Name {
+					secretMatches = true
+					break
+				}
+			}
+
+			if secretMatches {
 				requests = append(requests, reconcile.Request{
 					NamespacedName: types.NamespacedName{
 						Namespace: kbsConfig.Namespace,

internal/controller/kbsconfig_controller.go

@@ -21,8 +21,9 @@ spec:
   KbsEnvVars: 
     RUST_LOG: debug
   kbsLocalCertCacheSpec:
-    secretName: vcek-secret
-    mountPath: "/etc/kbs/snp/ek"
+    secrets:
+      - secretName: vcek-secret
+        mountPath: "/etc/kbs/snp/ek"
   KbsDeploymentSpec:
     replicas: 2