From 1f33fd4cd4e2b3ad1d2f31fb389b2bf4b7a8e63b Mon Sep 17 00:00:00 2001
From: ChengyuZhu6 <chengyu.zhu@intel.com>
Date: Sun, 29 Sep 2024 16:01:12 +0800
Subject: [PATCH] agent:rpc: handle the sealed secret in createcontainer

Users must set the mount path to `/sealed/<path>` for kata agent to detect the sealed secret mount
and handle it in createcontainer stage.

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
Signed-off-by: Linda Yu <linda.yu@intel.com>
---
 src/agent/src/rpc.rs | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs
index 9edea3cd8..27cba075c 100644
--- a/src/agent/src/rpc.rs
+++ b/src/agent/src/rpc.rs
@@ -241,6 +241,28 @@ impl AgentService {
             }
         }
 
+        let mounts = oci
+            .mounts_mut()
+            .as_mut()
+            .ok_or_else(|| anyhow!("Spec didn't contain mounts field"))?;
+        if cdh::is_cdh_client_initialized().await {
+            for m in mounts.iter_mut() {
+                if m.destination().starts_with("/sealed") {
+                    info!(
+                        sl(),
+                        "sealed mount destination: {:?} source: {:?}",
+                        m.destination(),
+                        m.source()
+                    );
+                    if let Some(source_str) = m.source().as_ref().and_then(|p| p.to_str()) {
+                        cdh::unseal_file(source_str).await?;
+                    } else {
+                        warn!(sl(), "Failed to unseal: Mount source is None or invalid");
+                    }
+                }
+            }
+        }
+
         let linux = oci
             .linux()
             .as_ref()