crd: Expose agent{Https,No}Proxy

Depending on the environment where we deploy Confidential Containers, setting up the proxy is required for the agent to be able to connect with the external world. With that in mind, mainly considering this is needed for the basic TDX CI, let's ensure we expose to the users a way to set it up. Signed-off-by: Fabiano Fidêncio <[email protected]>
confidential-containers · Mar 20, 2024 · 7254204 · 7254204
1 parent 016a7d4
commit 7254204
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 0 deletions.
diff --git a/api/v1beta1/ccruntime_types.go b/api/v1beta1/ccruntime_types.go
@@ -168,6 +168,16 @@ type CcInstallConfig struct {
 	// +optional
 	DefaultRuntimeClassName string `json:"defaultRuntimeClassName,omitempty"`
 
+	// This specifies the HTTPS_PROXY that may be required to be set for the Kata Containers agent
+	// when performing the image pull inside the guest (either using nydus snapshotter with containerd
+	// or CRI-O)
+	AgentHttpsProxy string `json:"agentHttpsProxy,omitempty"`
+
+	// This specifies the NO_PROXY that may be required to be set for the Kata Containers agent
+	// when performing the image pull inside the guest (either using nydus snapshotter with containerd
+	// or CRI-O)
+	AgentNoProxy string `json:"agentNoProxy,omitempty"`
+
 	// This specifies whether the CcRuntime (kata or enclave-cc) will be running on debug mode
 	// +optional
 	Debug bool `json:"debug,omitempty"`

diff --git a/config/crd/bases/confidentialcontainers.org_ccruntimes.yaml b/config/crd/bases/confidentialcontainers.org_ccruntimes.yaml
@@ -97,6 +97,18 @@ spec:
                         type: string
                     type: object
                     x-kubernetes-map-type: atomic
+                  agentHttpsProxy:
+                    description: This specifies the HTTPS_PROXY that may be required
+                      to be set for the Kata Containers agent when performing the
+                      image pull inside the guest (either using nydus snapshotter
+                      with containerd or CRI-O)
+                    type: string
+                  agentNoProxy:
+                    description: This specifies the NO_PROXY that may be required
+                      to be set for the Kata Containers agent when performing the
+                      image pull inside the guest (either using nydus snapshotter
+                      with containerd or CRI-O)
+                    type: string
                   cleanupCmd:
                     description: This specifies the command for cleanup on the nodes
                     items:

diff --git a/controllers/ccruntime_controller.go b/controllers/ccruntime_controller.go
@@ -675,6 +675,14 @@ func (r *CcRuntimeReconciler) processDaemonset(operation DaemonOperation) *appsv
 			Name:  "SNAPSHOTTER_HANDLER_MAPPING",
 			Value: strings.Join(snapshotter_handler_mapping, ","),
 		},
+		{
+			Name:  "AGENT_HTTPS_PROXY",
+			Value: r.ccRuntime.Spec.Config.AgentHttpsProxy,
+		},
+		{
+			Name:  "AGENT_NO_PROXY",
+			Value: r.ccRuntime.Spec.Config.AgentNoProxy,
+		},
 	}
 	envVars = append(envVars, r.ccRuntime.Spec.Config.EnvironmentVariables...)