initializer: take workload secret and restructure files

edgelesssys · Aug 5, 2024 · e6340e7 · e6340e7
1 parent 7d3f367
commit e6340e7
Show file tree

Hide file tree

Showing 8 changed files with 48 additions and 35 deletions.
diff --git a/docs/docs/components/service-mesh.md b/docs/docs/components/service-mesh.md
@@ -96,7 +96,7 @@ Contrast service mesh as an init container.
             privileged: true
           volumeMounts:
             - name: contrast-tls-certs
-              mountPath: /tls-config
+              mountPath: /contrast
 ```
 
 Note, that changing the environment variables of the sidecar container directly will

diff --git a/docs/docs/deployment.md b/docs/docs/deployment.md
@@ -120,9 +120,9 @@ The following example shows how to configure a Golang app, with error handling o
 
 ```go
 caCerts := x509.NewCertPool()
-caCert, _ := os.ReadFile("/tls-config/mesh-ca.pem")
+caCert, _ := os.ReadFile("/contrast/tls-config/mesh-ca.pem")
 caCerts.AppendCertsFromPEM(caCert)
-cert, _ := tls.LoadX509KeyPair("/tls-config/certChain.pem", "/tls-config/key.pem")
+cert, _ := tls.LoadX509KeyPair("/contrast/tls-config/certChain.pem", "/contrast/tls-config/key.pem")
 cfg := &tls.Config{
   Certificates: []tls.Certificate{cert},
   RootCAs: caCerts,
@@ -134,9 +134,9 @@ cfg := &tls.Config{
 
 ```go
 caCerts := x509.NewCertPool()
-caCert, _ := os.ReadFile("/tls-config/mesh-ca.pem")
+caCert, _ := os.ReadFile("/contrast/tls-config/mesh-ca.pem")
 caCerts.AppendCertsFromPEM(caCert)
-cert, _ := tls.LoadX509KeyPair("/tls-config/certChain.pem", "/tls-config/key.pem")
+cert, _ := tls.LoadX509KeyPair("/contrast/tls-config/certChain.pem", "/contrast/tls-config/key.pem")
 cfg := &tls.Config{
   Certificates: []tls.Certificate{cert},
   ClientAuth: tls.RequireAndVerifyClientCert,
@@ -211,7 +211,7 @@ spec:
       image: "ghcr.io/edgelesssys/contrast/initializer:latest"
       name: contrast-initializer
       volumeMounts:
-        - mountPath: /tls-config
+        - mountPath: /contrast
           name: contrast-tls-certs
   volumes:
     - emptyDir: {}
@@ -244,7 +244,7 @@ The port-forwarder relays traffic from a CoCo pod and can be accessed via `kubec
 
 <!-- TODO(burgerdev): inline port-forwarder definition, it has been removed from main. -->
 
-Upstream tracking issue: https://github.com/kata-containers/kata-containers/issues/1693.
+Upstream tracking issue: <https://github.com/kata-containers/kata-containers/issues/1693>.
 
 :::
 

diff --git a/e2e/openssl/openssl_test.go b/e2e/openssl/openssl_test.go
@@ -249,6 +249,6 @@ func TestMain(m *testing.M) {
 
 func opensslConnectCmd(addr, caCert string) string {
 	return fmt.Sprintf(
-		`openssl s_client -connect %s -verify_return_error -x509_strict -CAfile /tls-config/%s -cert /tls-config/certChain.pem -key /tls-config/key.pem </dev/null`,
+		`openssl s_client -connect %s -verify_return_error -x509_strict -CAfile /contrast/tls-config/%s -cert /contrast/tls-config/certChain.pem -key /contrast/tls-config/key.pem </dev/null`,
 		addr, caCert)
 }
diff --git a/e2e/servicemesh/servicemesh_test.go b/e2e/servicemesh/servicemesh_test.go
@@ -118,15 +118,15 @@ func TestIngressEgress(t *testing.T) {
 		// This test also verifies that client connections are not affected by the ingress proxy,
 		// because we're running the commands on a pod with enabled proxy.
 
-		argv := []string{"curl", "-sS", "--cacert", "/tls-config/mesh-ca.pem", "https://emoji:8801/metrics"}
+		argv := []string{"curl", "-sS", "--cacert", "/contrast/tls-config/mesh-ca.pem", "https://emoji:8801/metrics"}
 		// curl does not like the wildcard cert and the service name does not match the deployment
 		// name (i.e., the CN), so we tell curl to connect to expect the deployment name but
 		// resolve the service name.
 		argv = append(argv, "--connect-to", "emoji:8801:emoji-svc:8801")
 		stdout, stderr, err := c.Exec(ctx, ct.Namespace, frontendPods[0].Name, argv)
 		require.Error(err, "Expected call without client certificate to fail.\nstdout: %s\nstderr: %q", stdout, stderr)
 
-		argv = append(argv, "--cert", "/tls-config/certChain.pem", "--key", "/tls-config/key.pem")
+		argv = append(argv, "--cert", "/contrast/tls-config/certChain.pem", "--key", "/contrast/tls-config/key.pem")
 		stdout, stderr, err = c.Exec(ctx, ct.Namespace, frontendPods[0].Name, argv)
 		require.NoError(err, "Expected call with client certificate to succeed.\nstdout: %s\nstderr: %q", stdout, stderr)
 	})

diff --git a/initializer/main.go b/initializer/main.go
@@ -9,6 +9,7 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/x509"
+	"encoding/hex"
 	"encoding/pem"
 	"errors"
 	"fmt"
@@ -98,23 +99,35 @@ func run() (retErr error) {
 		Bytes: privKeyBytes,
 	})
 
+	// make sure directories exist
+	if err := os.MkdirAll("/contrast/tls-config", 0o755); err != nil {
+		return fmt.Errorf("creating tls-config directory: %w", err)
+	}
+	if err := os.MkdirAll("/contrast/secrets", 0o755); err != nil {
+		return fmt.Errorf("creating secrets directory: %w", err)
+	}
+
 	// write files to disk
-	err = os.WriteFile("/tls-config/mesh-ca.pem", resp.MeshCACert, 0o644)
+	err = os.WriteFile("/contrast/tls-config/mesh-ca.pem", resp.MeshCACert, 0o644)
 	if err != nil {
 		return fmt.Errorf("writing mesh-ca.pem: %w", err)
 	}
-	err = os.WriteFile("/tls-config/certChain.pem", resp.CertChain, 0o644)
+	err = os.WriteFile("/contrast/tls-config/certChain.pem", resp.CertChain, 0o644)
 	if err != nil {
 		return fmt.Errorf("writing certChain.pem: %w", err)
 	}
-	err = os.WriteFile("/tls-config/key.pem", pemEncodedPrivKey, 0o600)
+	err = os.WriteFile("/contrast/tls-config/key.pem", pemEncodedPrivKey, 0o600)
 	if err != nil {
 		return fmt.Errorf("writing key.pem: %w", err)
 	}
-	err = os.WriteFile("/tls-config/coordinator-root-ca.pem", resp.RootCACert, 0o644)
+	err = os.WriteFile("/contrast/tls-config/coordinator-root-ca.pem", resp.RootCACert, 0o644)
 	if err != nil {
 		return fmt.Errorf("writing coordinator-root-ca.pem: %w", err)
 	}
+	err = os.WriteFile("/contrast/secrets/workload-secret", []byte(hex.EncodeToString(resp.WorkloadSecret)), 0o600)
+	if err != nil {
+		return fmt.Errorf("writing workload-secret: %w", err)
+	}
 
 	log.Info("Initializer done")
 	return nil

diff --git a/internal/kuberesource/parts.go b/internal/kuberesource/parts.go
@@ -381,8 +381,8 @@ func Initializer() *applycorev1.ContainerApplyConfiguration {
 		).
 		WithEnv(NewEnvVar("COORDINATOR_HOST", "coordinator")).
 		WithVolumeMounts(VolumeMount().
-			WithName("contrast-tls-certs").
-			WithMountPath("/tls-config"),
+			WithName("contrast-secrets").
+			WithMountPath("/contrast"),
 		)
 }
 
@@ -393,8 +393,8 @@ func ServiceMeshProxy() *applycorev1.ContainerApplyConfiguration {
 		WithImage("ghcr.io/edgelesssys/contrast/service-mesh-proxy:latest").
 		WithRestartPolicy(corev1.ContainerRestartPolicyAlways).
 		WithVolumeMounts(VolumeMount().
-			WithName("contrast-tls-certs").
-			WithMountPath("/tls-config"),
+			WithName("contrast-secrets").
+			WithMountPath("/contrast"),
 		).
 		WithSecurityContext(SecurityContext().
 			WithPrivileged(true).

diff --git a/internal/kuberesource/sets.go b/internal/kuberesource/sets.go
@@ -64,7 +64,7 @@ func OpenSSL() []any {
 						Container().
 							WithName("openssl-backend").
 							WithImage("ghcr.io/edgelesssys/contrast/openssl:latest").
-							WithCommand("/bin/bash", "-c", "openssl s_server -port 443 -Verify 2 -CAfile /tls-config/mesh-ca.pem -cert /tls-config/certChain.pem -key /tls-config/key.pem").
+							WithCommand("/bin/bash", "-c", "openssl s_server -port 443 -Verify 2 -CAfile /contrast/tls-config/mesh-ca.pem -cert /contrast/tls-config/certChain.pem -key /contrast/tls-config/key.pem").
 							WithPorts(
 								ContainerPort().
 									WithName("https").
@@ -99,7 +99,7 @@ func OpenSSL() []any {
 						Container().
 							WithName("openssl-frontend").
 							WithImage("ghcr.io/edgelesssys/contrast/openssl:latest").
-							WithCommand("/bin/bash", "-c", "openssl s_server -www -port 443 -cert /tls-config/certChain.pem -key /tls-config/key.pem -cert_chain /tls-config/certChain.pem").
+							WithCommand("/bin/bash", "-c", "openssl s_server -www -port 443 -cert /contrast/tls-config/certChain.pem -key /contrast/tls-config/key.pem -cert_chain /contrast/tls-config/certChain.pem").
 							WithPorts(
 								ContainerPort().
 									WithName("https").
@@ -472,17 +472,17 @@ func Emojivoto(smMode serviceMeshMode) []any {
 
 	if smMode == ServiceMeshDisabled {
 		emoji.Spec.Template.Spec.Containers[0].
-			WithEnv(EnvVar().WithName("EDG_CERT_PATH").WithValue("/tls-config/certChain.pem")).
-			WithEnv(EnvVar().WithName("EDG_CA_PATH").WithValue("/tls-config/mesh-ca.pem")).
-			WithEnv(EnvVar().WithName("EDG_KEY_PATH").WithValue("/tls-config/key.pem"))
+			WithEnv(EnvVar().WithName("EDG_CERT_PATH").WithValue("/contrast/tls-config/certChain.pem")).
+			WithEnv(EnvVar().WithName("EDG_CA_PATH").WithValue("/contrast/tls-config/mesh-ca.pem")).
+			WithEnv(EnvVar().WithName("EDG_KEY_PATH").WithValue("/contrast/tls-config/key.pem"))
 		voting.Spec.Template.Spec.Containers[0].
-			WithEnv(EnvVar().WithName("EDG_CERT_PATH").WithValue("/tls-config/certChain.pem")).
-			WithEnv(EnvVar().WithName("EDG_CA_PATH").WithValue("/tls-config/mesh-ca.pem")).
-			WithEnv(EnvVar().WithName("EDG_KEY_PATH").WithValue("/tls-config/key.pem"))
+			WithEnv(EnvVar().WithName("EDG_CERT_PATH").WithValue("/contrast/tls-config/certChain.pem")).
+			WithEnv(EnvVar().WithName("EDG_CA_PATH").WithValue("/contrast/tls-config/mesh-ca.pem")).
+			WithEnv(EnvVar().WithName("EDG_KEY_PATH").WithValue("/contrast/tls-config/key.pem"))
 		web.Spec.Template.Spec.Containers[0].
-			WithEnv(EnvVar().WithName("EDG_CERT_PATH").WithValue("/tls-config/certChain.pem")).
-			WithEnv(EnvVar().WithName("EDG_CA_PATH").WithValue("/tls-config/mesh-ca.pem")).
-			WithEnv(EnvVar().WithName("EDG_KEY_PATH").WithValue("/tls-config/key.pem")).
+			WithEnv(EnvVar().WithName("EDG_CERT_PATH").WithValue("/contrast/tls-config/certChain.pem")).
+			WithEnv(EnvVar().WithName("EDG_CA_PATH").WithValue("/contrast/tls-config/mesh-ca.pem")).
+			WithEnv(EnvVar().WithName("EDG_KEY_PATH").WithValue("/contrast/tls-config/key.pem")).
 			WithEnv(EnvVar().WithName("EDG_DISABLE_CLIENT_AUTH").WithValue("true"))
 		return resources
 	}

diff --git a/service-mesh/config.go b/service-mesh/config.go
@@ -322,12 +322,12 @@ func upstreamTLSTransportSocket() (*envoyCoreV3.TransportSocket, error) {
 				{
 					PrivateKey: &envoyCoreV3.DataSource{
 						Specifier: &envoyCoreV3.DataSource_Filename{
-							Filename: "/tls-config/key.pem",
+							Filename: "/contrast/tls-config/key.pem",
 						},
 					},
 					CertificateChain: &envoyCoreV3.DataSource{
 						Specifier: &envoyCoreV3.DataSource_Filename{
-							Filename: "/tls-config/certChain.pem",
+							Filename: "/contrast/tls-config/certChain.pem",
 						},
 					},
 				},
@@ -336,7 +336,7 @@ func upstreamTLSTransportSocket() (*envoyCoreV3.TransportSocket, error) {
 				ValidationContext: &envoyTLSV3.CertificateValidationContext{
 					TrustedCa: &envoyCoreV3.DataSource{
 						Specifier: &envoyCoreV3.DataSource_Filename{
-							Filename: "/tls-config/mesh-ca.pem",
+							Filename: "/contrast/tls-config/mesh-ca.pem",
 						},
 					},
 				},
@@ -363,12 +363,12 @@ func downstreamTLSTransportSocket(requireClientCertificate bool) (*envoyCoreV3.T
 				{
 					PrivateKey: &envoyCoreV3.DataSource{
 						Specifier: &envoyCoreV3.DataSource_Filename{
-							Filename: "/tls-config/key.pem",
+							Filename: "/contrast/tls-config/key.pem",
 						},
 					},
 					CertificateChain: &envoyCoreV3.DataSource{
 						Specifier: &envoyCoreV3.DataSource_Filename{
-							Filename: "/tls-config/certChain.pem",
+							Filename: "/contrast/tls-config/certChain.pem",
 						},
 					},
 				},
@@ -377,7 +377,7 @@ func downstreamTLSTransportSocket(requireClientCertificate bool) (*envoyCoreV3.T
 				ValidationContext: &envoyTLSV3.CertificateValidationContext{
 					TrustedCa: &envoyCoreV3.DataSource{
 						Specifier: &envoyCoreV3.DataSource_Filename{
-							Filename: "/tls-config/mesh-ca.pem",
+							Filename: "/contrast/tls-config/mesh-ca.pem",
 						},
 					},
 				},