mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-07-31 23:36:12 +00:00
agent:config: Support secure_storage_integrity option for trusted storage
After enable secure storage integrity for trusted storage, the initialize time will take more times, the default value will be NOT enabled but add this config to allow the user to enable if they care more strict security. Fixes: #8142 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Wang, Arron <arron.wang@intel.com>
This commit is contained in:
parent
775f6bdc5c
commit
94347e2537
@ -31,6 +31,7 @@ const GUEST_COMPONENTS_REST_API_OPTION: &str = "agent.guest_components_rest_api"
|
||||
const GUEST_COMPONENTS_PROCS_OPTION: &str = "agent.guest_components_procs";
|
||||
#[cfg(feature = "guest-pull")]
|
||||
const IMAGE_REGISTRY_AUTH_OPTION: &str = "agent.image_registry_auth";
|
||||
const SECURE_STORAGE_INTEGRITY_OPTION: &str = "agent.secure_storage_integrity";
|
||||
|
||||
// Configure the proxy settings for HTTPS requests in the guest,
|
||||
// to solve the problem of not being able to access the specified image in some cases.
|
||||
@ -110,6 +111,7 @@ pub struct AgentConfig {
|
||||
pub guest_components_procs: GuestComponentsProcs,
|
||||
#[cfg(feature = "guest-pull")]
|
||||
pub image_registry_auth: String,
|
||||
pub secure_storage_integrity: bool,
|
||||
}
|
||||
|
||||
#[derive(Debug, Deserialize)]
|
||||
@ -131,6 +133,7 @@ pub struct AgentConfigBuilder {
|
||||
pub guest_components_procs: Option<GuestComponentsProcs>,
|
||||
#[cfg(feature = "guest-pull")]
|
||||
pub image_registry_auth: Option<String>,
|
||||
pub secure_storage_integrity: Option<bool>,
|
||||
}
|
||||
|
||||
macro_rules! config_override {
|
||||
@ -198,6 +201,7 @@ impl Default for AgentConfig {
|
||||
guest_components_procs: GuestComponentsProcs::default(),
|
||||
#[cfg(feature = "guest-pull")]
|
||||
image_registry_auth: String::from(""),
|
||||
secure_storage_integrity: false,
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -237,7 +241,7 @@ impl FromStr for AgentConfig {
|
||||
config_override!(agent_config_builder, agent_config, guest_components_procs);
|
||||
#[cfg(feature = "guest-pull")]
|
||||
config_override!(agent_config_builder, agent_config, image_registry_auth);
|
||||
|
||||
config_override!(agent_config_builder, agent_config, secure_storage_integrity);
|
||||
Ok(agent_config)
|
||||
}
|
||||
}
|
||||
@ -359,6 +363,12 @@ impl AgentConfig {
|
||||
config.image_registry_auth,
|
||||
get_string_value
|
||||
);
|
||||
parse_cmdline_param!(
|
||||
param,
|
||||
SECURE_STORAGE_INTEGRITY_OPTION,
|
||||
config.secure_storage_integrity,
|
||||
get_bool_value
|
||||
);
|
||||
}
|
||||
|
||||
config.override_config_from_envs();
|
||||
@ -586,6 +596,7 @@ mod tests {
|
||||
guest_components_procs: GuestComponentsProcs,
|
||||
#[cfg(feature = "guest-pull")]
|
||||
image_registry_auth: &'a str,
|
||||
secure_storage_integrity: bool,
|
||||
}
|
||||
|
||||
impl Default for TestData<'_> {
|
||||
@ -607,6 +618,7 @@ mod tests {
|
||||
guest_components_procs: GuestComponentsProcs::default(),
|
||||
#[cfg(feature = "guest-pull")]
|
||||
image_registry_auth: "",
|
||||
secure_storage_integrity: false,
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1050,6 +1062,31 @@ mod tests {
|
||||
image_registry_auth: "kbs:///default/credentials/test",
|
||||
..Default::default()
|
||||
},
|
||||
TestData {
|
||||
contents: "",
|
||||
secure_storage_integrity: false,
|
||||
..Default::default()
|
||||
},
|
||||
TestData {
|
||||
contents: "agent.secure_storage_integrity=true",
|
||||
secure_storage_integrity: true,
|
||||
..Default::default()
|
||||
},
|
||||
TestData {
|
||||
contents: "agent.secure_storage_integrity=false",
|
||||
secure_storage_integrity: false,
|
||||
..Default::default()
|
||||
},
|
||||
TestData {
|
||||
contents: "agent.secure_storage_integrity=1",
|
||||
secure_storage_integrity: true,
|
||||
..Default::default()
|
||||
},
|
||||
TestData {
|
||||
contents: "agent.secure_storage_integrity=0",
|
||||
secure_storage_integrity: false,
|
||||
..Default::default()
|
||||
},
|
||||
];
|
||||
|
||||
let dir = tempdir().expect("failed to create tmpdir");
|
||||
@ -1111,6 +1148,11 @@ mod tests {
|
||||
);
|
||||
#[cfg(feature = "guest-pull")]
|
||||
assert_eq!(d.image_registry_auth, config.image_registry_auth, "{}", msg);
|
||||
assert_eq!(
|
||||
d.secure_storage_integrity, config.secure_storage_integrity,
|
||||
"{}",
|
||||
msg
|
||||
);
|
||||
|
||||
for v in vars_to_unset {
|
||||
env::remove_var(v);
|
||||
|
Loading…
Reference in New Issue
Block a user