k8s: add token signing keypair to k8s deployments

We now require a keypair for signing/validating the attestation token. Add this keypair to our k8s deployment tooling. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
confidential-containers · Oct 3, 2024 · 95af0a6 · 95af0a6
1 parent f225aa7
commit 95af0a6
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 4 deletions.
diff --git a/kbs/config/kubernetes/base/as-config.json b/kbs/config/kubernetes/base/as-config.json
@@ -1,8 +1,10 @@
 {
     "work_dir": "/opt/confidential-containers/attestation-service",
     "policy_engine": "opa",
-    "attestation_token_broker": "Simple",
     "attestation_token_config": {
-        "duration_min": 5
+        "duration_min": 5,
+	"signer": {
+		"key_path":"/kbs/as-private-key.pem"
+	}
     }
 }
diff --git a/kbs/config/kubernetes/base/deployment.yaml b/kbs/config/kubernetes/base/deployment.yaml
@@ -38,6 +38,10 @@ spec:
         volumeMounts:
         - name: kbs-auth-public-key
           mountPath: /kbs/
+        - name: as-public-key
+          mountPath: /kbs/
+        - name: as-private-key
+          mountPath: /kbs/
         - name: kbs-config
           mountPath: /etc/kbs/
         - name: policy-volume
@@ -46,6 +50,12 @@ spec:
       - name: kbs-auth-public-key
         secret:
           secretName: kbs-auth-public-key
+      - name: as-public-key
+        secret:
+          secretName: as-public-key
+      - name: as-private-key
+        secret:
+          secretName: as-private-key
       - name: kbs-config
         configMap:
           name: kbs-config

diff --git a/kbs/config/kubernetes/base/kbs-config.toml b/kbs/config/kubernetes/base/kbs-config.toml
@@ -5,16 +5,19 @@ auth_public_key = "/kbs/kbs.pem"
 insecure_http = true
 
 [attestation_token_config]
-attestation_token_type = "CoCo"
+attestation_token_type = "Ear"
+trusted_certs_paths = ["/kbs/as-public-key.pem"]
 
 [as_config]
 work_dir = "/opt/confidential-containers/attestation-service"
 policy_engine = "opa"
-attestation_token_broker = "Simple"
 
 [as_config.attestation_token_config]
 duration_min = 5
 
+[as_config.attestation_token_config.signer]
+key_path = "/kbs/as-private-key.pem"
+
 [as_config.rvps_config]
 store_type = "LocalFs"
 remote_addr = ""
diff --git a/kbs/config/kubernetes/base/kustomization.yaml b/kbs/config/kubernetes/base/kustomization.yaml
@@ -26,3 +26,8 @@ secretGenerator:
 - files:
   - kbs.pem
   name: kbs-auth-public-key
+  - as-public-key.pem
+  name: as-public-key
+  - as-private-key.pem
+  name: as-private-key
+
diff --git a/kbs/config/kubernetes/deploy-kbs.sh b/kbs/config/kubernetes/deploy-kbs.sh
@@ -22,6 +22,16 @@ kbs_cert="${k8s_cnf_dir}/base/kbs.pem"
     openssl pkey -in "${k8s_cnf_dir}/base/kbs.key" -pubout -out "${kbs_cert}"
 }
 
+# Create keypair for signing and verifying attestation token
+as_key="${k8s_cnf_dir}/base/pkey.pem"
+as_key_priv="${k8s_cnf_dir}/base/as-private-key.pem"
+as_key_pub="${k8s_cnf_dir}/base/as-public-key.pem"
+
+openssl ecparam -name prime256v1 -genkey -noout -out ${as_key}
+openssl pkcs8 -topk8 -inform PEM -outform PEM -in ${as_key} -nocrypt -out ${as_key_priv}
+openssl ec -in ${as_key_priv} -pubout -out ${as_key_pub}
+
+
 if [ "${ARCH}" == "s390x" ]; then
     if [ -n "${IBM_SE_CREDS_DIR:-}" ]; then
     export NODE_NAME=$(kubectl get nodes -o jsonpath='{.items[0].metadata.name}')