-
Notifications
You must be signed in to change notification settings - Fork 259
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
plumb AMD certs to workload containers #1549
Conversation
@KenGordon FYI |
48350ee
to
cf9dc54
Compare
Add logic to plumb AMD certificates to workload containers. The assumption is that the certificates will be "fresh enough" for necessary attestation and key release by the workflow and third party services. Signed-off-by: Maksim An <maksiman@microsoft.com>
cf9dc54
to
9788c57
Compare
internal/uvm/security_policy.go
Outdated
@@ -42,6 +42,17 @@ func WithSecurityPolicyEnforcer(enforcer string) ConfidentialUVMOpt { | |||
} | |||
} | |||
|
|||
func base64EncodeContent(filePath string) (string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
base64EncodeFileContents?
internal/uvm/security_policy.go
Outdated
return "", nil | ||
} | ||
content, err := os.ReadFile(filePath) | ||
if err != nil && !os.IsNotExist(err) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could result in an undetected file not found. Callers may end up troubleshooting why the base64 string is "" instead of troubleshooting that the file doesn't exist.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure, that's fair. although I should probably revert this change, since the approach to fetching the certs have changed and in previous iterations, I was reading it from the host, thus introduced this utility function. At the moment we always set the default reference file, so under non-SNP deployments the file won't exist, I might need to refactor that a bit, which is probably outside of the scope of this PR. I'll add some logging for now and make the refactoring change in a different PR, if you don't mind.
Signed-off-by: Maksim An <maksiman@microsoft.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
confidential containers: Add AMD cert plumbing Add logic to plumb AMD certificates to workload containers. The assumption is that the certificates will be "fresh enough" for necessary attestation and key release by the workflow and third party services. Additionally add error logging when UVM reference info file is not found Signed-off-by: Maksim An <maksiman@microsoft.com>
Add logic to plumb AMD certificates to workload containers. The
assumption is that the certificates will be "fresh enough" for
necessary attestation and key release by the workflow and third
party services.
Signed-off-by: Maksim An maksiman@microsoft.com