github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-19 16:38:00 +00:00
Code Issues Projects Releases Wiki Activity

protos: Add CDH GetResourceService

Browse Source 
Add service to get arbitrary data from Confidential Data Hub. Taken from
https://github.com/confidential-containers/guest-components/tree/main/api-server-rest.
Marked as `#[allow(dead_code)]` because planned use is
architecture-specific at this time.

Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
This commit is contained in:
Jakob Naucke 2025-03-07 13:51:57 +00:00
parent f6a1c6d0e0
commit 683a482d64
2 changed files with 45 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
src/agent/src/cdh.rs
View File

@ -11,8 +11,12 @@ use crate::AGENT_CONFIG;
use anyhow::{bail, Context, Result}; use anyhow::{bail, Context, Result};
use derivative::Derivative; use derivative::Derivative;
use protocols::{ use protocols::{
confidential_data_hub, confidential_data_hub_ttrpc_async, confidential_data_hub,
confidential_data_hub_ttrpc_async::{SealedSecretServiceClient, SecureMountServiceClient}, confidential_data_hub::GetResourceRequest,
confidential_data_hub_ttrpc_async,
confidential_data_hub_ttrpc_async::{
GetResourceServiceClient, SealedSecretServiceClient, SecureMountServiceClient,
},
}; };
use std::fs; use std::fs;
use std::os::unix::fs::symlink; use std::os::unix::fs::symlink;
@ -39,6 +43,8 @@ pub struct CDHClient {
sealed_secret_client: SealedSecretServiceClient, sealed_secret_client: SealedSecretServiceClient,
#[derivative(Debug = "ignore")] #[derivative(Debug = "ignore")]
secure_mount_client: SecureMountServiceClient, secure_mount_client: SecureMountServiceClient,
#[derivative(Debug = "ignore")]
get_resource_client: GetResourceServiceClient,
} }
impl CDHClient { impl CDHClient {
@ -47,10 +53,13 @@ impl CDHClient {
let sealed_secret_client = let sealed_secret_client =
confidential_data_hub_ttrpc_async::SealedSecretServiceClient::new(client.clone()); confidential_data_hub_ttrpc_async::SealedSecretServiceClient::new(client.clone());
let secure_mount_client = let secure_mount_client =
confidential_data_hub_ttrpc_async::SecureMountServiceClient::new(client); confidential_data_hub_ttrpc_async::SecureMountServiceClient::new(client.clone());
let get_resource_client =
confidential_data_hub_ttrpc_async::GetResourceServiceClient::new(client);
Ok(CDHClient { Ok(CDHClient {
sealed_secret_client, sealed_secret_client,
secure_mount_client, secure_mount_client,
get_resource_client,
}) })
} }
@ -84,6 +93,18 @@ impl CDHClient {
.await?; .await?;
Ok(()) Ok(())
} }
pub async fn get_resource(&self, resource_path: &str) -> Result<Vec<u8>> {
let req = GetResourceRequest {
ResourcePath: format!("kbs://{}", resource_path),
..Default::default()
};
let res = self
.get_resource_client
.get_resource(ttrpc::context::with_timeout(*CDH_API_TIMEOUT), &req)
.await?;
Ok(res.Resource)
}
} }
pub async fn init_cdh_client(cdh_socket_uri: &str) -> Result<()> { pub async fn init_cdh_client(cdh_socket_uri: &str) -> Result<()> {
@ -201,6 +222,15 @@ pub async fn secure_mount(
Ok(()) Ok(())
} }
#[allow(dead_code)]
pub async fn get_cdh_resource(resource_path: &str) -> Result<Vec<u8>> {
let cdh_client = CDH_CLIENT
.get()
.expect("Confidential Data Hub not initialized");
cdh_client.get_resource(resource_path).await
}
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use super::*; use super::*;

12
src/libs/protocols/protos/confidential_data_hub.proto
View File

@ -35,3 +35,15 @@ service SealedSecretService {
service SecureMountService { service SecureMountService {
rpc SecureMount(SecureMountRequest) returns (SecureMountResponse) {}; rpc SecureMount(SecureMountRequest) returns (SecureMountResponse) {};
} }
message GetResourceRequest {
string ResourcePath = 1;
}
message GetResourceResponse {
bytes Resource = 1;
}
service GetResourceService {
rpc GetResource(GetResourceRequest) returns (GetResourceResponse) {};
}