From 94347e25377827771c20ad6810cc4e39ed32d627 Mon Sep 17 00:00:00 2001 From: ChengyuZhu6 Date: Wed, 10 Jul 2024 20:54:11 +0800 Subject: [PATCH] agent:config: Support secure_storage_integrity option for trusted storage After enable secure storage integrity for trusted storage, the initialize time will take more times, the default value will be NOT enabled but add this config to allow the user to enable if they care more strict security. Fixes: #8142 Signed-off-by: ChengyuZhu6 Co-authored-by: Wang, Arron --- src/agent/src/config.rs | 44 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/src/agent/src/config.rs b/src/agent/src/config.rs index 00787f3d9a..acb07dfacc 100644 --- a/src/agent/src/config.rs +++ b/src/agent/src/config.rs @@ -31,6 +31,7 @@ const GUEST_COMPONENTS_REST_API_OPTION: &str = "agent.guest_components_rest_api" const GUEST_COMPONENTS_PROCS_OPTION: &str = "agent.guest_components_procs"; #[cfg(feature = "guest-pull")] const IMAGE_REGISTRY_AUTH_OPTION: &str = "agent.image_registry_auth"; +const SECURE_STORAGE_INTEGRITY_OPTION: &str = "agent.secure_storage_integrity"; // Configure the proxy settings for HTTPS requests in the guest, // to solve the problem of not being able to access the specified image in some cases. @@ -110,6 +111,7 @@ pub struct AgentConfig { pub guest_components_procs: GuestComponentsProcs, #[cfg(feature = "guest-pull")] pub image_registry_auth: String, + pub secure_storage_integrity: bool, } #[derive(Debug, Deserialize)] @@ -131,6 +133,7 @@ pub struct AgentConfigBuilder { pub guest_components_procs: Option, #[cfg(feature = "guest-pull")] pub image_registry_auth: Option, + pub secure_storage_integrity: Option, } macro_rules! config_override { @@ -198,6 +201,7 @@ impl Default for AgentConfig { guest_components_procs: GuestComponentsProcs::default(), #[cfg(feature = "guest-pull")] image_registry_auth: String::from(""), + secure_storage_integrity: false, } } } @@ -237,7 +241,7 @@ impl FromStr for AgentConfig { config_override!(agent_config_builder, agent_config, guest_components_procs); #[cfg(feature = "guest-pull")] config_override!(agent_config_builder, agent_config, image_registry_auth); - + config_override!(agent_config_builder, agent_config, secure_storage_integrity); Ok(agent_config) } } @@ -359,6 +363,12 @@ impl AgentConfig { config.image_registry_auth, get_string_value ); + parse_cmdline_param!( + param, + SECURE_STORAGE_INTEGRITY_OPTION, + config.secure_storage_integrity, + get_bool_value + ); } config.override_config_from_envs(); @@ -586,6 +596,7 @@ mod tests { guest_components_procs: GuestComponentsProcs, #[cfg(feature = "guest-pull")] image_registry_auth: &'a str, + secure_storage_integrity: bool, } impl Default for TestData<'_> { @@ -607,6 +618,7 @@ mod tests { guest_components_procs: GuestComponentsProcs::default(), #[cfg(feature = "guest-pull")] image_registry_auth: "", + secure_storage_integrity: false, } } } @@ -1050,6 +1062,31 @@ mod tests { image_registry_auth: "kbs:///default/credentials/test", ..Default::default() }, + TestData { + contents: "", + secure_storage_integrity: false, + ..Default::default() + }, + TestData { + contents: "agent.secure_storage_integrity=true", + secure_storage_integrity: true, + ..Default::default() + }, + TestData { + contents: "agent.secure_storage_integrity=false", + secure_storage_integrity: false, + ..Default::default() + }, + TestData { + contents: "agent.secure_storage_integrity=1", + secure_storage_integrity: true, + ..Default::default() + }, + TestData { + contents: "agent.secure_storage_integrity=0", + secure_storage_integrity: false, + ..Default::default() + }, ]; let dir = tempdir().expect("failed to create tmpdir"); @@ -1111,6 +1148,11 @@ mod tests { ); #[cfg(feature = "guest-pull")] assert_eq!(d.image_registry_auth, config.image_registry_auth, "{}", msg); + assert_eq!( + d.secure_storage_integrity, config.secure_storage_integrity, + "{}", + msg + ); for v in vars_to_unset { env::remove_var(v);