Merge pull request #446 from beraldoleal/release-1.7-v2

Sync release-1.7 with devel

Author: beraldoleal

PROJECT

@@ -13,7 +13,7 @@ repo: github.com/openshift/sandboxed-containers-operator
 resources:
 - group: confidentialcontainers
   kind: PeerPodConfig
-  path: github.com/confidential-containers/cloud-api-adaptor/peerpodconfig-ctrl/api/v1alpha1
+  path: github.com/confidential-containers/cloud-api-adaptor/src/peerpodconfig-ctrl/api/v1alpha1
   version: v1alpha1
 - controller: true
   domain: kataconfiguration.openshift.io
@@ -30,7 +30,7 @@ resources:
   controller: true
   domain: confidentialcontainers.org
   kind: PeerPod
-  path: github.com/confidential-containers/cloud-api-adaptor/peerpod-ctrl/api/v1alpha1
+  path: github.com/confidential-containers/cloud-api-adaptor/src/peerpod-ctrl/api/v1alpha1
   version: v1alpha1
 - controller: true
   group: core

config/peerpods/credentials-requests/credentials_request_aws.yaml

@@ -10,8 +10,31 @@ spec:
   providerSpec:
     apiVersion: cloudcredential.openshift.io/v1
     kind: AWSProviderSpec
-    statementEntries: # limit permissions
+    statementEntries:
     - effect: Allow
-      action:
-        - "*"
       resource: "*"
+      action:
+        - "ec2:*"
+        # By default we allow all ec2 actions to prevent dysfunctioning for untested configurations.
+        # The following actions were extracted from AWS CloudTrail Event History,
+        # filtered based on access key, for peer-pod execution with default configuration.
+        # use it to restrict the requested permissions.
+        #- ec2:AuthorizeSecurityGroupIngress
+        #- ec2:CreateDefaultVpc
+        #- ec2:CreateImage
+        #- ec2:CreateKeyPair
+        #- ec2:CreateTags
+        #- ec2:CreateSecurityGroup
+        #- ec2:DeleteKeyPair
+        #- ec2:DeleteSecurityGroup
+        #- ec2:DescribeImages
+        #- ec2:DescribeInstances
+        #- ec2:DescribeInstanceTypes
+        #- ec2:DescribeRegions
+        #- ec2:DescribeSecurityGroups
+        #- ec2:DescribeSubnets
+        #- ec2:DescribeVolumes
+        #- ec2:DescribeVpcs
+        #- ec2:RunInstances
+        #- ec2:StopInstances
+        #- ec2:TerminateInstances

config/peerpods/credentials-requests/credentials_request_azure.yaml

@@ -10,5 +10,7 @@ spec:
   providerSpec:
     apiVersion: cloudcredential.openshift.io/v1
     kind: AzureProviderSpec
-    roleBindings: # limit
-      - role: Contributor
+    roleBindings:
+      - role: Reader
+      - role: Virtual Machine Contributor
+      - role: Network Contributor

config/peerpods/peerpodssecret.yaml

@@ -10,4 +10,10 @@ stringData:
   #LIBVIRT_NET: "default
   #LIBVIRT_POOL: "default"
   #REDHAT_OFFLINE_TOKEN: "" #Required to download rhel base image : Download token from https://access.redhat.com/management/api
-  
+  #HOST_KEY_CERTS: "" #Download the certificate from https://www.ibm.com/support/resourcelink/api/content/public/host-key-documents.html and make sure the certficate lines are aligned
+  # Example:
+  # HOST_KEY_CERTS: |
+  #   -----BEGIN CERTIFICATE-----
+  #   xxx
+  #   xxx
+  #   -----END CERTIFICATE-----

config/peerpods/podvm/lib.sh

@@ -208,20 +208,36 @@ function prepare_source_code() {
     # links must be relative
     if [[ "${AGENT_POLICY}" ]]; then
         echo "Custom agent policy is being set through the AGENT_POLICY value"
-        echo ${AGENT_POLICY} | base64 -d > "${podvm_dir}"/files/etc/kata-opa/custom.rego
-        if [[ $? == 0 ]] && grep -q "agent_policy" "${podvm_dir}"/files/etc/kata-opa/custom.rego; then # checks policy validity
-            ln -sf custom.rego  "${podvm_dir}"/files/etc/kata-opa/default-policy.rego
+        echo "${AGENT_POLICY}" | base64 -d >"${podvm_dir}"/files/etc/kata-opa/custom.rego
+        return_code=$?
+        if [[ "$return_code" == 0 ]] && grep -q "agent_policy" "${podvm_dir}"/files/etc/kata-opa/custom.rego; then # checks policy validity
+            ln -sf custom.rego "${podvm_dir}"/files/etc/kata-opa/default-policy.rego
         else
             error_exit "Invalid AGENT_POLICY value set, expected base64 encoded valid agent policy, got: \"${AGENT_POLICY}\""
-	fi
+        fi
     elif [[ "$CONFIDENTIAL_COMPUTE_ENABLED" == "yes" ]]; then
         echo "Setting custom agent policy to CoCo's recommended policy"
         sed 's/default ReadStreamRequest := true/default ReadStreamRequest := false/;
             s/default ExecProcessRequest := true/default ExecProcessRequest := false/' \
-            "${podvm_dir}"/files/etc/kata-opa/default-policy.rego > "${podvm_dir}"/files/etc/kata-opa/coco-default-policy.rego
+            "${podvm_dir}"/files/etc/kata-opa/default-policy.rego >"${podvm_dir}"/files/etc/kata-opa/coco-default-policy.rego
         ln -sf coco-default-policy.rego "${podvm_dir}"/files/etc/kata-opa/default-policy.rego
     fi
     echo "~~~ Current Agent Policy ~~~" && cat "${podvm_dir}"/files/etc/kata-opa/default-policy.rego
+
+    # Fix disk mounts for CoCo
+    if [[ "$CONFIDENTIAL_COMPUTE_ENABLED" == "yes" ]]; then
+        create_overlay_mount_unit
+    fi
+
+    # Validate and copy HKD for IBM Z Secure Enablement 
+    if [[ "$SE_BOOT" == "true" ]]; then
+        if [[ -z "$HOST_KEY_CERTS" ]]; then
+            error_exit "Error: HKD is not present."
+        else
+            echo "$HOST_KEY_CERTS" >> "${podvm_dir}/files/HKD.crt"
+        fi
+    fi
+
 }
 
 # Download and extract pause container image
@@ -267,6 +283,36 @@ function download_and_extract_pause_image() {
 
 }
 
+# Function to create overlay mount unit in the podvm files
+# this ensures rw (overlay) layer for the container images are in memory (encrypted)
+function create_overlay_mount_unit() {
+    # The actual mount point is /run/kata-containers/image/overlay
+    local unit_name="run-kata\\x2dcontainers-image-overlay.mount"
+    local unit_path="${podvm_dir}/files/etc/systemd/system/${unit_name}"
+
+    cat <<EOF >"${unit_path}"
+[Unit]
+Description=Mount unit for /run/kata-containers/image/overlay
+Before=kata-agent.service
+
+[Mount]
+What=tmpfs
+Where=/run/kata-containers/image/overlay
+Type=tmpfs
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+    echo "Mount unit created at ${unit_name}"
+
+    # Enable the mount unit by creating a symlink
+    # This syntax works to create the symlink to the unit file in ${podvm_dir}/files/etc/systemd/system
+    ln -sf ../"${unit_name}" "${podvm_dir}/files/etc/systemd/system/multi-user.target.wants/${unit_name}" ||
+        error_exit "Failed to enable the overlay mount unit"
+
+}
+
 # Global variables
 
 # Set global variable for the source code directory

config/peerpods/podvm/libvirt-podvm-image-cm.yaml

@@ -21,4 +21,8 @@ data:
   # Libvirt specific
   ORG_ID: ""
   ACTIVATION_KEY: ""
-  BASE_OS_VERSION: "9.2"
+  BASE_OS_VERSION: "9.4"
+
+  # To Enable SE for IBM Z
+  SE_BOOT: "true"
+  

config/peerpods/podvm/libvirt-podvm-image-handler.sh

@@ -8,7 +8,6 @@
 # Create image (-c)
 # Delete image (-C)
 
-set -x
 # include common functions from lib.sh
 # shellcheck source=/dev/null
 # The directory is where libvirt-podvm-image-handler.sh is located
@@ -73,6 +72,15 @@ function create_libvirt_image() {
 # Function to dowload the rhel base image
 
 function download_rhel_kvm_guest_qcow2() {
+    #Validate RHEL version for IBM Z Secure Enablement
+    if [ "$SE_BOOT" == "true" ]; then
+        version=$(echo $BASE_OS_VERSION | awk -F "." '{ print $1 }')
+        release=$(echo $BASE_OS_VERSION | awk -F "." '{ print $2 }')
+        if [[ "$version" -lt 9 || ("$version" -eq 9 && "$release" -lt 4) ]]; then
+            error_exit "Libvirt Secure Execution supports RHEL OS version 9.4 or above"
+        fi
+    fi
+
     ARCH=$(uname -m)
     export ARCH
 

config/peerpods/podvm/osc-podvm-create-job.yaml

@@ -57,11 +57,10 @@ spec:
             - name: payload
               mountPath: /payload
             - name: regauth
-              mountPath: /tmp/regauth  
+              mountPath: /tmp/regauth
             - name: ssh-key-secret
               mountPath: "/root/.ssh/"
               readOnly: true
-              optional: true             
       volumes:
         - name: payload
           emptyDir: {}
@@ -75,4 +74,5 @@ spec:
             - key: id_rsa
               path: "id_rsa"
             defaultMode: 0400
+            optional: true
       restartPolicy: Never

config/peerpods/podvm/osc-podvm-delete-job.yaml

@@ -49,7 +49,6 @@ spec:
             - name: ssh-key-secret
               mountPath: "/root/.ssh/"
               readOnly: true
-              optional: true
       volumes:
         - name: ssh-key-secret
           secret:
@@ -58,5 +57,6 @@ spec:
             - key: id_rsa
               path: "id_rsa"
             defaultMode: 0400
+            optional: true
 
       restartPolicy: Never

controllers/openshift_controller.go

@@ -24,7 +24,7 @@ import (
 	"reflect"
 	"time"
 
-	"github.com/confidential-containers/cloud-api-adaptor/peerpodconfig-ctrl/api/v1alpha1"
+	"github.com/confidential-containers/cloud-api-adaptor/src/peerpodconfig-ctrl/api/v1alpha1"
 
 	appsv1 "k8s.io/api/apps/v1"