agent:rpc: handle the sealed secret in createcontainer

Users must set the mount path to `/sealed/<path>` for kata agent to detect the sealed secret mount and handle it in createcontainer stage. Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Signed-off-by: Linda Yu <linda.yu@intel.com>
2025-07-05 19:47:53 +00:00 · 2024-09-29 16:01:12 +08:00 · 2024-09-29 16:01:12 +08:00 · 1f33fd4cd4
commit 1f33fd4cd4
parent da281b4444
1 changed files with 22 additions and 0 deletions
--- a/src/agent/src/rpc.rs
+++ b/src/agent/src/rpc.rs
@ -241,6 +241,28 @@ impl AgentService {
            }
        }

+        let mounts = oci
+            .mounts_mut()
+            .as_mut()
+            .ok_or_else(|| anyhow!("Spec didn't contain mounts field"))?;
+        if cdh::is_cdh_client_initialized().await {
+            for m in mounts.iter_mut() {
+                if m.destination().starts_with("/sealed") {
+                    info!(
+                        sl(),
+                        "sealed mount destination: {:?} source: {:?}",
+                        m.destination(),
+                        m.source()
+                    );
+                    if let Some(source_str) = m.source().as_ref().and_then(|p| p.to_str()) {
+                        cdh::unseal_file(source_str).await?;
+                    } else {
+                        warn!(sl(), "Failed to unseal: Mount source is None or invalid");
+                    }
+                }
+            }
+        }
+
        let linux = oci
            .linux()
            .as_ref()