Add trustee-agent - a simple tool to fetch secrets from Trustee #791
Conversation
|
|
uril
force-pushed
the
trustee-agent
branch
2 times, most recently
from
ddac172 to
5c2b909
Compare
Thanks @Xynnn007, it found two issues. |
There was a problem hiding this comment.
Thanks. Some more nits about the readme document. The final rendering shape can be seen on the page https://github.com/uril/coco-guest-components/tree/trustee-agent/attestation-agent/kbs_protocol/src/bin/trustee-agent. You can take a look if it meets your ideal shape when debugging
uril
force-pushed
the
trustee-agent
branch
5 times, most recently
from
069aa99 to
d4d01be
Compare
Thanks, that was a good tip. I fixed the markdown syntax. |
| @@ -0,0 +1,33 @@ | |||
| # Trustee attester # | |||
There was a problem hiding this comment.
The preview looks good, while we do not need the # in the end of the line when making headings. https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#headings
| struct Cli { | ||
| /// Trustee URL of format <protocol>://<host>:<port> | ||
| #[clap(long, value_parser)] | ||
| // url: Option<String>, |
There was a problem hiding this comment.
Is this something left for debug?
| let resource_path = format!("/{}", path); // path must start with a '/' | ||
| let resource = ResourceUri::new("", &resource_path)?; |
There was a problem hiding this comment.
nit: this will bail with an obscure error message if the user-specified path already starts with a /, so I would suggest to either:
a) validate the path format with a regex, so we can safely prepend the /
b) prepend the / only if it's not present: format!("/{}", path.trim_start_matches('/')) (even if it looks a bit ridiculous)
There was a problem hiding this comment.
It is a bit strange when a user asks for /repository/type/tag and gets an error message saying that the format should be /repository/type/tag.
I replaced it with:
let resource_path = match path.starts_with('/') {
false => format!("/{}", path),
true => path,
};
There was a problem hiding this comment.
👍 for booleans we can stick to if/else statements though, they also are expressions in rust, i.e. you can return from a branch: let x = if 1 != 2 { "foo" } else { "bar" }
The trustee-attester is a simple program that gather Confidential Computing HW "evidence", send it to Trustee and upon successful attestation get resources. As first implementation it directly uses attestation-agent's kbs_protocol and attesters. Signed-off-by: Uri Lublin <[email protected]>
There was a problem hiding this comment.
sorry I just noticed this: we shouldn't merge the PR without CI for the tool.
we don't need to publish binaries, but there should at least be compile/lint/format checks for the code.
you can take a look at the AA build for reference: https://github.com/confidential-containers/guest-components/blob/main/.github/workflows/aa_basic.yml
|
Added a commit with CI. Thanks for recommending aa_basic.yml. |
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| rust: | ||
| - stable | ||
| instance: | ||
| - ubuntu-24.04 | ||
| include: | ||
| - instance: ubuntu-24.04 | ||
| cargo_test_opts: "-p kbs_protocol --bin trustee-attester --no-default-features --features background_check,passport,openssl,all-attesters,bin" |
There was a problem hiding this comment.
i don't think this is a matrix. we only run the suite on ubuntu 24.04 w/ rust stable
There was a problem hiding this comment.
I removed the s390x entry of the list, for now, so only ubuntu is left there.
Possibly someone will re-add it later.
There was a problem hiding this comment.
I see, maybe add this as a comment above the matrix statement. otherwise, it's unclear to the reader of that workflow.
There was a problem hiding this comment.
I re-added s390x. It was added to many other .yml files
cargo build/fmt/clippy --bin trustee-attester Signed-off-by: Uri Lublin <[email protected]>
|
@uril please keep an eye on the new workflow after we merge this. We may need a follow-up with some fixes. |
The trustee attester is a tool to attest and fetch secrets from Trustee.
Trustee attester is using attestation-agent's kbs_protocol client and attesters to gather hardware-based confidential-computing evidence and send it over to Trustee.
This PR replaces #755. Binary renamed and moved under kbs_protocol.
Also Trustee URL and optional certificate are given in the command line and not in a configuration file.