treewide: revert peerpods node installer

.gitignore

@@ -21,5 +21,6 @@ terraform.tfstate*
 id_rsa*
 kube.conf
 out.env
-infra/**/peer-pods-config.yaml
+infra/**/kustomization.yaml
+infra/**/workload-identity.yaml
 uplosi.conf*

cli/genpolicy/config.go

@@ -43,7 +43,7 @@ func NewConfig(platform platforms.Platform) *Config {
 			Settings: aksSettings,
 			Bin:      aksGenpolicyBin,
 		}
-	case platforms.AKSPeerSNP, platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
+	case platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
 		return &Config{
 			Rules:    kataRules,
 			Settings: kataSettings,

cli/main.go

@@ -105,7 +105,7 @@ func buildVersionString() (string, error) {
 		switch platform {
 		case platforms.AKSCloudHypervisorSNP:
 			fmt.Fprintf(versionsWriter, "\tgenpolicy version:\t%s\n", constants.MicrosoftGenpolicyVersion)
-		case platforms.AKSPeerSNP, platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
+		case platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
 			fmt.Fprintf(versionsWriter, "\tgenpolicy version:\t%s\n", constants.KataGenpolicyVersion)
 		}
 	}

infra/azure-peerpods/main.tf

@@ -69,6 +69,14 @@ resource "azurerm_role_assignment" "ra_network_contributor" {
   principal_id         = azuread_service_principal.sp.object_id
 }
 
+resource "azuread_application_federated_identity_credential" "federated_credentials" {
+  display_name   = local.name
+  application_id = azuread_application.app.id
+  issuer         = azurerm_kubernetes_cluster.cluster.oidc_issuer_url
+  subject        = "system:serviceaccount:confidential-containers-system:cloud-api-adaptor"
+  audiences      = ["api://AzureADTokenExchange"]
+}
+
 resource "azuread_application_password" "cred" {
   application_id = azuread_application.app.id
 }
@@ -120,45 +128,65 @@ resource "local_file" "kubeconfig" {
   content    = azurerm_kubernetes_cluster.cluster.kube_config_raw
 }
 
-data "local_file" "id_rsa" {
-  filename = "id_rsa.pub"
-}
-
-resource "local_file" "peer-pods-config" {
-  filename        = "./peer-pods-config.yaml"
+resource "local_file" "workload_identity" {
+  filename        = "./workload-identity.yaml"
   file_permission = "0777"
   content         = <<EOF
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: peer-pods-cm
-data:
-  AZURE_CLIENT_ID: ${azuread_application.app.client_id}
-  AZURE_TENANT_ID: ${data.azurerm_subscription.current.tenant_id}
-  AZURE_AUTHORITY_HOST: https://login.microsoftonline.com/
-  AZURE_IMAGE_ID: ${var.image_id}
-  AZURE_INSTANCE_SIZE: Standard_DC2as_v5
-  AZURE_REGION: ${data.azurerm_resource_group.rg.location}
-  AZURE_RESOURCE_GROUP: ${data.azurerm_resource_group.rg.name}
-  AZURE_SUBNET_ID: ${one(azurerm_virtual_network.main.subnet.*.id)}
-  AZURE_SUBSCRIPTION_ID: ${data.azurerm_subscription.current.subscription_id}
-  CLOUD_PROVIDER: azure
-  DISABLECVM: "false"
----
-apiVersion: v1
-data:
-  AZURE_CLIENT_SECRET: ${base64encode(azuread_application_password.cred.value)}
-kind: Secret
+apiVersion: apps/v1
+kind: DaemonSet
 metadata:
-  name: azure-client-secret
+  name: cloud-api-adaptor-daemonset
+  namespace: confidential-containers-system
+spec:
+  template:
+    metadata:
+      labels:
+        azure.workload.identity/use: "true"
 ---
-type: Opaque
 apiVersion: v1
-data:
-  id_rsa.pub: ${data.local_file.id_rsa.content_base64}
-kind: Secret
+kind: ServiceAccount
 metadata:
-  name: ssh-key-secret
-type: Opaque
+  name: cloud-api-adaptor
+  namespace: confidential-containers-system
+  annotations:
+    azure.workload.identity/client-id: ${azuread_application.app.client_id}
+EOF
+}
+
+resource "local_file" "kustomization" {
+  filename        = "./kustomization.yaml"
+  file_permission = "0777"
+  content         = <<EOF
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+bases:
+- ../../yamls
+images:
+- name: cloud-api-adaptor
+  newName: quay.io/confidential-containers/cloud-api-adaptor
+  newTag: v0.9.0-amd64
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+- name: peer-pods-cm
+  namespace: confidential-containers-system
+  literals:
+  - CLOUD_PROVIDER=azure
+  - AZURE_SUBSCRIPTION_ID=${data.azurerm_subscription.current.subscription_id}
+  - AZURE_REGION=${data.azurerm_resource_group.rg.location}
+  - AZURE_INSTANCE_SIZE=Standard_DC2as_v5
+  - AZURE_RESOURCE_GROUP=${data.azurerm_resource_group.rg.name}
+  - AZURE_SUBNET_ID=${one(azurerm_virtual_network.main.subnet.*.id)}
+  - AZURE_IMAGE_ID=${var.image_id}
+  - DISABLECVM=false
+secretGenerator:
+- name: peer-pods-secret
+  namespace: confidential-containers-system
+- name: ssh-key-secret
+  namespace: confidential-containers-system
+  files:
+  - id_rsa.pub
+patchesStrategicMerge:
+- workload-identity.yaml
 EOF
 }

internal/kuberesource/parts.go

@@ -82,11 +82,6 @@ func NodeInstaller(namespace string, platform platforms.Platform) (*NodeInstalle
 			),
 	}
 
-	containerdPath := "/var/lib/rancher/k3s/agent/containerd"
-	if platform == platforms.AKSPeerSNP {
-		containerdPath = "/var/lib/containerd"
-	}
-
 	nydusSnapshotter := Container().
 		WithName("nydus-snapshotter").
 		WithImage("ghcr.io/edgelesssys/contrast/nydus-snapshotter:latest").
@@ -118,7 +113,7 @@ func NodeInstaller(namespace string, platform platforms.Platform) (*NodeInstalle
 		Volume().
 			WithName("var-lib-containerd").
 			WithHostPath(HostPathVolumeSource().
-				WithPath(containerdPath).
+				WithPath("/var/lib/rancher/k3s/agent/containerd").
 				WithType(corev1.HostPathDirectory),
 			),
 		Volume().
@@ -129,87 +124,18 @@ func NodeInstaller(namespace string, platform platforms.Platform) (*NodeInstalle
 			),
 	}
 
-	cloudAPIAdaptor := Container().
-		WithName("cloud-api-adaptor").
-		WithImage("ghcr.io/edgelesssys/contrast/cloud-api-adaptor:latest").
-		WithVolumeMounts(
-			VolumeMount().
-				WithName("ssh").
-				WithMountPath("/.ssh/").
-				WithReadOnly(true),
-			VolumeMount().
-				WithName("pods-dir").
-				WithMountPath("/run/peerpod"),
-			VolumeMount().
-				WithName("netns").
-				WithMountPath("/run/netns").
-				WithMountPropagation(corev1.MountPropagationHostToContainer),
-			VolumeMount().
-				WithName("netns").
-				WithMountPath("/var/run/netns").
-				WithMountPropagation(corev1.MountPropagationHostToContainer),
-		).
-		WithEnv(
-			NewEnvVar("optionals", fmt.Sprintf("-socket /run/peerpod/hypervisor-%s.sock ", runtimeHandler)),
-		).
-		WithEnvFrom(
-			applycorev1.EnvFromSource().
-				WithConfigMapRef(
-					applycorev1.ConfigMapEnvSource().
-						WithName("peer-pods-cm"),
-				),
-			applycorev1.EnvFromSource().
-				WithSecretRef(applycorev1.SecretEnvSource().
-					WithName("azure-client-secret"),
-				),
-		).
-		WithSecurityContext(
-			applycorev1.SecurityContext().
-				WithCapabilities(
-					applycorev1.Capabilities().
-						WithAdd(
-							corev1.Capability("NET_ADMIN"),
-							corev1.Capability("SYS_ADMIN"),
-						),
-				),
-		)
-	cloudAPIAdaptorVolumes := []*applycorev1.VolumeApplyConfiguration{
-		Volume().
-			WithName("pods-dir").
-			WithHostPath(HostPathVolumeSource().
-				WithPath("/run/peerpod").
-				WithType(corev1.HostPathDirectoryOrCreate),
-			),
-		Volume().
-			WithName("netns").
-			WithHostPath(HostPathVolumeSource().
-				WithPath("/run/netns").
-				WithType(corev1.HostPathDirectory),
-			),
-		Volume().
-			WithName("ssh").
-			WithSecret(applycorev1.SecretVolumeSource().
-				WithDefaultMode(0o600).
-				WithSecretName("ssh-key-secret"),
-			),
-	}
-
 	var nodeInstallerImageURL string
-	var containers []*applycorev1.ContainerApplyConfiguration
-	var volumes []*applycorev1.VolumeApplyConfiguration
+	var snapshotter *applycorev1.ContainerApplyConfiguration
+	var snapshotterVolumes []*applycorev1.VolumeApplyConfiguration
 	switch platform {
 	case platforms.AKSCloudHypervisorSNP:
 		nodeInstallerImageURL = "ghcr.io/edgelesssys/contrast/node-installer-microsoft:latest"
-		containers = []*applycorev1.ContainerApplyConfiguration{tardevSnapshotter}
-		volumes = tardevSnapshotterVolumes
+		snapshotter = tardevSnapshotter
+		snapshotterVolumes = tardevSnapshotterVolumes
 	case platforms.K3sQEMUTDX, platforms.K3sQEMUSNP, platforms.RKE2QEMUTDX:
 		nodeInstallerImageURL = "ghcr.io/edgelesssys/contrast/node-installer-kata:latest"
-		containers = []*applycorev1.ContainerApplyConfiguration{nydusSnapshotter}
-		volumes = nydusSnapshotterVolumes
-	case platforms.AKSPeerSNP:
-		nodeInstallerImageURL = "ghcr.io/edgelesssys/contrast/node-installer-kata:latest"
-		containers = []*applycorev1.ContainerApplyConfiguration{nydusSnapshotter, cloudAPIAdaptor}
-		volumes = append(nydusSnapshotterVolumes, cloudAPIAdaptorVolumes...)
+		snapshotter = nydusSnapshotter
+		snapshotterVolumes = nydusSnapshotterVolumes
 	default:
 		return nil, fmt.Errorf("unsupported platform %q", platform)
 	}
@@ -241,10 +167,10 @@ func NodeInstaller(namespace string, platform platforms.Platform) (*NodeInstalle
 						WithCommand("/bin/node-installer", platform.String()),
 					).
 					WithContainers(
-						containers...,
+						snapshotter,
 					).
 					WithVolumes(append(
-						volumes,
+						snapshotterVolumes,
 						Volume().
 							WithName("host-mount").
 							WithHostPath(HostPathVolumeSource().

internal/platforms/platforms.go

@@ -18,8 +18,6 @@ const (
 	Unknown Platform = iota
 	// AKSCloudHypervisorSNP represents a deployment with Cloud-Hypervisor on SEV-SNP AKS.
 	AKSCloudHypervisorSNP
-	// AKSPeerSNP represents a deployment with peer-pods on SEV-SNP AKS.
-	AKSPeerSNP
 	// K3sQEMUTDX represents a deployment with QEMU on bare-metal TDX K3s.
 	K3sQEMUTDX
 	// K3sQEMUSNP represents a deployment with QEMU on bare-metal SNP K3s.
@@ -30,7 +28,7 @@ const (
 
 // All returns a list of all available platforms.
 func All() []Platform {
-	return []Platform{AKSCloudHypervisorSNP, AKSPeerSNP, K3sQEMUTDX, K3sQEMUSNP, RKE2QEMUTDX}
+	return []Platform{AKSCloudHypervisorSNP, K3sQEMUTDX, K3sQEMUSNP, RKE2QEMUTDX}
 }
 
 // AllStrings returns a list of all available platforms as strings.
@@ -47,8 +45,6 @@ func (p Platform) String() string {
 	switch p {
 	case AKSCloudHypervisorSNP:
 		return "AKS-CLH-SNP"
-	case AKSPeerSNP:
-		return "AKS-PEER-SNP"
 	case K3sQEMUTDX:
 		return "K3s-QEMU-TDX"
 	case K3sQEMUSNP:
@@ -65,8 +61,6 @@ func FromString(s string) (Platform, error) {
 	switch strings.ToLower(s) {
 	case "aks-clh-snp":
 		return AKSCloudHypervisorSNP, nil
-	case "aks-peer-snp":
-		return AKSPeerSNP, nil
 	case "k3s-qemu-tdx":
 		return K3sQEMUTDX, nil
 	case "k3s-qemu-snp":