Merge pull request #56 from lmilleri/latest-upstream

Update configuration files

Author: bpradipt

README.md

@@ -97,20 +97,29 @@ metadata:
   name: kbs-config-grpc
   namespace: trustee-operator-system
 data:
-  kbs-config.json: |
-    {
-        "insecure_http" : false,
-        "sockets": ["0.0.0.0:8080"],
-        "auth_public_key": "/etc/auth-secret/kbs.pem",
-        "private_key": "/etc/https-key/key.pem",
-        "certificate": "/etc/https-cert/cert.pem",
-        "attestation_token_config": {
-          "attestation_token_type": "CoCo"
-        },
-        "grpc_config" : {
-          "as_addr": "http://127.0.0.1:50004"
-        }
-    }
+  kbs-config.toml: |
+    [http_server]
+    sockets = ["0.0.0.0:8080"]
+    insecure_http = true
+    [admin]
+    insecure_api = true
+    auth_public_key = "/etc/auth-secret/kbs.pem"
+
+    [attestation_token]
+    insecure_key = true
+
+    [attestation_service]
+    type = "coco_as_grpc"
+    as_addr = "http://127.0.0.1:50004"
+
+    [[plugins]]
+    name = "resource"
+    type = "LocalFs"
+    dir_path = "/opt/confidential-containers/kbs/repository"
+
+    [policy_engine]
+    policy_path = "/opt/confidential-containers/opa/policy.rego"
+
 ```
 
 If HTTPS support is not needed, please set `insecure_http=true` and no need to specify the attributes `private_key` and `certificate`.
@@ -216,10 +225,6 @@ You’ll need a Kubernetes cluster to run against. You can use [KIND](https://si
 
   This is an example. Change it to real values as per your requirements.
 
-  It is recommended to uncomment the secret generation for the trustee authorization in the  [kustomization.yaml](config/samples/microservices/kustomization.yaml), for both public and private key (`kbs-auth-public-key` and `kbs-client` secrets)
-
-  For enabling logs with DEBUG severity, uncomment the `patch-env-vars.yaml` line in the  [kustomization.yaml](config/samples/microservices/kustomization.yaml).
-
   ```sh
   cd config/samples/microservices
   # or config/samples/all-in-one for the integrated mode

config/samples/all-in-one/ita-kbs-config.yaml

@@ -4,39 +4,29 @@ metadata:
   name: ita-kbs-config
   namespace: trustee-operator-system
 data:
-  kbs-config.json: |
-    {
-        "insecure_http" : true,
-        "sockets": ["0.0.0.0:8080"],
-        "auth_public_key": "/etc/auth-secret/kbs.pem",
-        "attestation_token_config": {
-          "attestation_token_type": "Jwk",
-          "trusted_certs_paths": ["https://portal.trustauthority.intel.com"]
-        },
-        "repository_config": {
-          "type": "LocalFs",
-          "dir_path": "/opt/confidential-containers/kbs/repository"
-        },
-        "as_config": {
-          "work_dir": "/opt/confidential-containers/attestation-service",
-          "policy_engine": "opa",
-          "attestation_token_broker": "Simple",
-          "attestation_token_config": {
-            "duration_min": 5
-          },
-          "rvps_config": {
-            "store_type": "LocalJson",
-            "store_config": {
-              "file_path": "/opt/confidential-containers/rvps/reference-values/reference-values.json"
-            }
-          }
-        },
-        "policy_engine_config": {
-          "policy_path": "/opt/confidential-containers/opa/policy.rego"
-        },
-        "intel_trust_authority_config" : {
-          "base_url": "https://api.trustauthority.intel.com",
-          "api_key": "tBfd5kKX2x9ahbodKV1...",
-          "certs_file": "https://portal.trustauthority.intel.com"
-        }
-    }
+  kbs-config.toml: |
+    [http_server]
+    sockets = ["0.0.0.0:8080"]
+    insecure_http = true
+
+    [admin]
+    insecure_api = true
+    auth_public_key = "/etc/auth-secret/kbs.pem"
+
+    [attestation_token]
+    trusted_jwk_sets = ["https://portal.trustauthority.intel.com"]
+
+    [attestation_service]
+    type = "intel_ta"
+    base_url = "https://api.trustauthority.intel.com"
+    api_key = "tBfd5kKX2x9ahbodKV1..."
+    certs_file = "https://portal.trustauthority.intel.com"
+    allow_unmatched_policy = true
+
+    [[plugins]]
+    name = "resource"
+    type = "LocalFs"
+    dir_path = "/opt/confidential-containers/kbs/repository"
+
+    [policy_engine]
+    policy_path = "/opt/confidential-containers/opa/policy.rego"

config/samples/all-in-one/kbs-config.yaml

@@ -4,33 +4,37 @@ metadata:
   name: kbs-config
   namespace: trustee-operator-system
 data:
-  kbs-config.json: |
-    {
-        "insecure_http" : true,
-        "sockets": ["0.0.0.0:8080"],
-        "auth_public_key": "/etc/auth-secret/kbs.pem",
-        "attestation_token_config": {
-          "attestation_token_type": "CoCo"
-        },
-        "repository_config": {
-          "type": "LocalFs",
-          "dir_path": "/opt/confidential-containers/kbs/repository"
-        },
-        "as_config": {
-          "work_dir": "/opt/confidential-containers/attestation-service",
-          "policy_engine": "opa",
-          "attestation_token_broker": "Simple",
-          "attestation_token_config": {
-            "duration_min": 5
-          },
-          "rvps_config": {
-            "store_type": "LocalJson",
-            "store_config": {
-              "file_path": "/opt/confidential-containers/rvps/reference-values/reference-values.json"
-            }
-          }
-        },
-        "policy_engine_config": {
-          "policy_path": "/opt/confidential-containers/opa/policy.rego"
-        }
-    }
+  kbs-config.toml: |
+    [http_server]
+    sockets = ["0.0.0.0:8080"]
+    insecure_http = true
+
+    [admin]
+    insecure_api = true
+    auth_public_key = "/etc/auth-secret/kbs.pem"
+
+    [attestation_token]
+    insecure_key = true
+
+    [attestation_service]
+    type = "coco_as_builtin"
+    work_dir = "/opt/confidential-containers/attestation-service"
+    policy_engine = "opa"
+      [attestation_service.attestation_token_broker]
+      type = "Ear"
+      [attestation_service.attestation_token_config]
+      duration_min = 5
+      [attestation_service.rvps_config]
+      type = "BuiltIn"
+      store_type = "LocalJson"
+        [attestation_service.rvps_config.store_config]
+        file_path = "/opt/confidential-containers/rvps/reference-values/reference-values.json"
+
+    [[plugins]]
+    name = "resource"
+    type = "LocalFs"
+    dir_path = "/opt/confidential-containers/kbs/repository"
+
+    [policy_engine]
+    policy_path = "/opt/confidential-containers/opa/policy.rego"
+

config/samples/all-in-one/kustomization.yaml

@@ -1,31 +1,32 @@
 ## Append samples you want in your CSV to this file as resources ##
+namespace: trustee-operator-system
 generatorOptions:
   disableNameSuffixHash: true
 
 # uncomment to generate secrets for kbs authorization
-# secretGenerator:
-# - name: kbs-auth-public-key
-#   files:
-#   - kbs.pem
-# - name: kbs-client
-#   files:
-#   - privateKey
+secretGenerator:
+- name: kbs-auth-public-key
+  files:
+  - kbs.pem
+- name: kbs-client
+  files:
+  - privateKey
 
 # uncomment the following lines for injecting sample resources in kbs
-#- name: kbsres1
-#  literals:
-#  - key1=res1val1
-#  - key2=res1val2
+- name: kbsres1
+  literals:
+  - key1=res1val1
+  - key2=res1val2
 
 patches:
 - path: patch-ref-values.yaml
 - path: patch-attestation-policy.yaml
 - path: patch-resource-policy.yaml
 - path: patch-tdx-config.yaml
 # uncomment the following line for injecting sample resources in kbs
-#- path: patch-kbs-resources.yaml
+- path: patch-kbs-resources.yaml
 # uncomment the following line for enabling DEBUG logs
-# - path: patch-env-vars.yaml
+- path: patch-env-vars.yaml
 
 resources:
 - kbsconfig_sample.yaml

config/samples/all-in-one/patch-ita-config.yaml

@@ -2,6 +2,6 @@ apiVersion: confidentialcontainers.org/v1alpha1
 kind: KbsConfig
 metadata:
   name: kbsconfig-sample
-  namespace: kbs-operator-system
+  namespace: trustee-operator-system
 spec:
   kbsItaConfigMapName: ita-config

config/samples/all-in-one/resource-policy.yaml

@@ -7,7 +7,4 @@ data:
   policy.rego: |
     package policy
 
-    default allow = false
-    allow {
-            input["tee"] != "sample"
-    }
+    default allow = true

config/samples/microservices/as-config.yaml

@@ -9,9 +9,12 @@ data:
         "work_dir": "/opt/confidential-containers/attestation-service",
         "policy_engine": "opa",
         "rvps_config": {
+            "type": "BuiltIn",
             "remote_addr":"http://127.0.0.1:50003"
         },
-        "attestation_token_broker": "Simple",
+        "attestation_token_broker": {
+          "type": "Ear"
+        },
         "attestation_token_config": {
           "duration_min": 5
         }

config/samples/microservices/ita-kbs-config.yaml

@@ -4,30 +4,29 @@ metadata:
   name: ita-kbs-config-grpc
   namespace: trustee-operator-system
 data:
-  kbs-config.json: |
-    {
-        "insecure_http" : true,
-        "sockets": ["0.0.0.0:8080"],
-        "auth_public_key": "/etc/auth-secret/kbs.pem",
-        "private_key": "/etc/https-key/key.pem",
-        "certificate": "/etc/https-cert/cert.pem",
-        "attestation_token_config": {
-          "attestation_token_type": "Jwk",
-          "trusted_certs_paths": ["https://portal.trustauthority.intel.com"]
-        },
-        "grpc_config" : {
-          "as_addr": "http://127.0.0.1:50004"
-        },
-        "repository_config": {
-          "type": "LocalFs",
-          "dir_path": "/opt/confidential-containers/kbs/repository"
-        },
-        "policy_engine_config": {
-          "policy_path": "/opt/confidential-containers/opa/policy.rego"
-        },
-        "intel_trust_authority_config" : {
-          "base_url": "https://api.trustauthority.intel.com",
-          "api_key": "tBfd5kKX2x9ahbodKV1...",
-          "certs_file": "https://portal.trustauthority.intel.com"
-        }
-    }
+  kbs-config.toml: |
+    [http_server]
+    sockets = ["0.0.0.0:8080"]
+    insecure_http = true
+
+    [admin]
+    insecure_api = true
+    auth_public_key = "/etc/auth-secret/kbs.pem"
+
+    [attestation_token]
+    trusted_jwk_sets = ["https://portal.trustauthority.intel.com"]
+
+    [attestation_service]
+    type = "intel_ta"
+    base_url = "https://api.trustauthority.intel.com"
+    api_key = "tBfd5kKX2x9ahbodKV1..."
+    certs_file = "https://portal.trustauthority.intel.com"
+    allow_unmatched_policy = true
+
+    [[plugins]]
+    name = "resource"
+    type = "LocalFs"
+    dir_path = "/opt/confidential-containers/kbs/repository"
+
+    [policy_engine]
+    policy_path = "/opt/confidential-containers/opa/policy.rego"

config/samples/microservices/kbs-config.yaml

@@ -4,24 +4,26 @@ metadata:
   name: kbs-config-grpc
   namespace: trustee-operator-system
 data:
-  kbs-config.json: |
-    {
-        "insecure_http" : true,
-        "sockets": ["0.0.0.0:8080"],
-        "auth_public_key": "/etc/auth-secret/kbs.pem",
-        "private_key": "/etc/https-key/key.pem",
-        "certificate": "/etc/https-cert/cert.pem",
-        "attestation_token_config": {
-          "attestation_token_type": "CoCo"
-        },
-        "grpc_config" : {
-          "as_addr": "http://127.0.0.1:50004"
-        },
-        "repository_config": {
-          "type": "LocalFs",
-          "dir_path": "/opt/confidential-containers/kbs/repository"
-        },
-        "policy_engine_config": {
-          "policy_path": "/opt/confidential-containers/opa/policy.rego"
-        }
-    }
+  kbs-config.toml: |
+    [http_server]
+    sockets = ["0.0.0.0:8080"]
+    insecure_http = true
+
+    [admin]
+    insecure_api = true
+    auth_public_key = "/etc/auth-secret/kbs.pem"
+
+    [attestation_token]
+    insecure_key = true
+
+    [attestation_service]
+    type = "coco_as_grpc"
+    as_addr = "http://127.0.0.1:50004"
+
+    [[plugins]]
+    name = "resource"
+    type = "LocalFs"
+    dir_path = "/opt/confidential-containers/kbs/repository"
+
+    [policy_engine]
+    policy_path = "/opt/confidential-containers/opa/policy.rego"