aa_kbc_params: centralize handling in CDH and AA #440
Conversation
mkulke
force-pushed
the
mkulke/centralize-aa_kbc_params-handling
branch
2 times, most recently
from
678883b to
a791697
Compare
|
The unit tests should pass once #438 has been merged and this is rebased. the failing image-rs tests seem unrelated, they seem to fail in other PRs in a similar fashion |
mkulke
force-pushed
the
mkulke/centralize-aa_kbc_params-handling
branch
from
a791697 to
90ceea3
Compare
this is mostly attempting to consolidate what exists at the moment (in a non-breaking fashion) so we can more easily iterate on a future solution. |
In both AA and CDH there is logic to retrieve aa_kbc_params through various means. This change moves all related logic into a single place to guarantee consistency and make it easier to iterate on the way we retrieve aa_kbc_params (it is expected that the current approaches will be replaced by init_data in some fashion). A dependency to `attestation_agent` has been added to the CDH/KMS project to gain access to AA's `aa_kbc_params` module. I think this dependency is warranted, since this code is already coupled to AA implicitly (by depending on aa_kbc_params). Signed-off-by: Magnus Kulke <[email protected]>
|
Overall, the deduplication is quite good. However, there are still some issues that need to be synchronized, which may or may not be related to this PR
Overall, I recommend that we
Did I miss anything? |
Yes, a configuration file would also work for this purpose and possibly be more future proof. The motivation for introducing env was mostly to work around the current heuristic "if there is a peerpod file on the fs => parse kata-agent config for aa config" which couples AA to kata and peerpod in obscure ways. I understand that you think we can introduce a configuration file now, even if the structure of the configuration is not completely settled yet. E.g. this configuration file could be just like this for now? [kbc]
name = "cc_kbc"
uri = "https://some.kbs:8080"
Ok |
|
btw, the image-rs ci has been fixed by #441. You can take a rebase to make CI happy then |
mkulke
force-pushed
the
mkulke/centralize-aa_kbc_params-handling
branch
3 times, most recently
from
023ca36 to
b0851d9
Compare
In both AA and CDH there is duplicate logic to retrieve aa_kbc_params through various means. This change moves all related logic into a single place to guarantee consistency and make it easier to iterate on the way we retrieve aa_kbc_params (it is expected that the current approaches will be replaced by init_data in some fashion).
Besides kernel cmdline and kata-agent config a third option that takes precedence over the other approaches has been added. This will help with testing, so we don't need to rely on the peerpod detection heurstic for that.Edit: will be replaced by an aa config-file, see discussion below
e.g.
AA_KBC_PARAMS=cc_kbc::http://localhost:8080 ./attestation-agent -a unix://tmp/aa-test.sockA dependency to
attestation_agenthas been added to the CDH/KMS project to gain access to AA'saa_kbc_paramsmodule. I think this dependency is warranted, since this code is already coupled to AA implicitly (by depending on aa_kbc_params).