From 95af0a694da91879a29f6dfb12c4f791af2b6ea2 Mon Sep 17 00:00:00 2001
From: Tobin Feldman-Fitzthum <tobin@ibm.com>
Date: Thu, 3 Oct 2024 12:50:18 -0500
Subject: [PATCH] k8s: add token signing keypair to k8s deployments

We now require a keypair for signing/validating the attestation
token. Add this keypair to our k8s deployment tooling.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
---
 kbs/config/kubernetes/base/as-config.json     |  6 ++++--
 kbs/config/kubernetes/base/deployment.yaml    | 10 ++++++++++
 kbs/config/kubernetes/base/kbs-config.toml    |  7 +++++--
 kbs/config/kubernetes/base/kustomization.yaml |  5 +++++
 kbs/config/kubernetes/deploy-kbs.sh           | 10 ++++++++++
 5 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/kbs/config/kubernetes/base/as-config.json b/kbs/config/kubernetes/base/as-config.json
index 8935ffc9f..5f335ee46 100644
--- a/kbs/config/kubernetes/base/as-config.json
+++ b/kbs/config/kubernetes/base/as-config.json
@@ -1,8 +1,10 @@
 {
     "work_dir": "/opt/confidential-containers/attestation-service",
     "policy_engine": "opa",
-    "attestation_token_broker": "Simple",
     "attestation_token_config": {
-        "duration_min": 5
+        "duration_min": 5,
+	"signer": {
+		"key_path":"/kbs/as-private-key.pem"
+	}
     }
 }
diff --git a/kbs/config/kubernetes/base/deployment.yaml b/kbs/config/kubernetes/base/deployment.yaml
index 2e5319264..f3beaf7a7 100644
--- a/kbs/config/kubernetes/base/deployment.yaml
+++ b/kbs/config/kubernetes/base/deployment.yaml
@@ -38,6 +38,10 @@ spec:
         volumeMounts:
         - name: kbs-auth-public-key
           mountPath: /kbs/
+        - name: as-public-key
+          mountPath: /kbs/
+        - name: as-private-key
+          mountPath: /kbs/
         - name: kbs-config
           mountPath: /etc/kbs/
         - name: policy-volume
@@ -46,6 +50,12 @@ spec:
       - name: kbs-auth-public-key
         secret:
           secretName: kbs-auth-public-key
+      - name: as-public-key
+        secret:
+          secretName: as-public-key
+      - name: as-private-key
+        secret:
+          secretName: as-private-key
       - name: kbs-config
         configMap:
           name: kbs-config
diff --git a/kbs/config/kubernetes/base/kbs-config.toml b/kbs/config/kubernetes/base/kbs-config.toml
index c6544eece..694de3c13 100644
--- a/kbs/config/kubernetes/base/kbs-config.toml
+++ b/kbs/config/kubernetes/base/kbs-config.toml
@@ -5,16 +5,19 @@ auth_public_key = "/kbs/kbs.pem"
 insecure_http = true
 
 [attestation_token_config]
-attestation_token_type = "CoCo"
+attestation_token_type = "Ear"
+trusted_certs_paths = ["/kbs/as-public-key.pem"]
 
 [as_config]
 work_dir = "/opt/confidential-containers/attestation-service"
 policy_engine = "opa"
-attestation_token_broker = "Simple"
 
 [as_config.attestation_token_config]
 duration_min = 5
 
+[as_config.attestation_token_config.signer]
+key_path = "/kbs/as-private-key.pem"
+
 [as_config.rvps_config]
 store_type = "LocalFs"
 remote_addr = ""
diff --git a/kbs/config/kubernetes/base/kustomization.yaml b/kbs/config/kubernetes/base/kustomization.yaml
index 5446b3bc3..71d760cc7 100644
--- a/kbs/config/kubernetes/base/kustomization.yaml
+++ b/kbs/config/kubernetes/base/kustomization.yaml
@@ -26,3 +26,8 @@ secretGenerator:
 - files:
   - kbs.pem
   name: kbs-auth-public-key
+  - as-public-key.pem
+  name: as-public-key
+  - as-private-key.pem
+  name: as-private-key
+
diff --git a/kbs/config/kubernetes/deploy-kbs.sh b/kbs/config/kubernetes/deploy-kbs.sh
index c19b51d0d..2eaa3dc19 100755
--- a/kbs/config/kubernetes/deploy-kbs.sh
+++ b/kbs/config/kubernetes/deploy-kbs.sh
@@ -22,6 +22,16 @@ kbs_cert="${k8s_cnf_dir}/base/kbs.pem"
     openssl pkey -in "${k8s_cnf_dir}/base/kbs.key" -pubout -out "${kbs_cert}"
 }
 
+# Create keypair for signing and verifying attestation token
+as_key="${k8s_cnf_dir}/base/pkey.pem"
+as_key_priv="${k8s_cnf_dir}/base/as-private-key.pem"
+as_key_pub="${k8s_cnf_dir}/base/as-public-key.pem"
+
+openssl ecparam -name prime256v1 -genkey -noout -out ${as_key}
+openssl pkcs8 -topk8 -inform PEM -outform PEM -in ${as_key} -nocrypt -out ${as_key_priv}
+openssl ec -in ${as_key_priv} -pubout -out ${as_key_pub}
+
+
 if [ "${ARCH}" == "s390x" ]; then
     if [ -n "${IBM_SE_CREDS_DIR:-}" ]; then
     export NODE_NAME=$(kubectl get nodes -o jsonpath='{.items[0].metadata.name}')