github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-25 15:02:45 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #10294 from fidencio/topic/bring-ita-support

Browse Source 
Bump guest-components / trustee to a version that supports ITA
This commit is contained in:
Fabiano Fidêncio 2024-09-11 19:45:48 +02:00 committed by GitHub
commit 97ecdabde9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 44 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
src/agent/Cargo.lock generated
View File

@ -380,9 +380,9 @@ checksum = "8b75356056920673b02621b35afd0f7dda9306d03c79a30f5c56c44cf256e3de"
[[package]] [[package]]
name = "async-trait" name = "async-trait"
version = "0.1.81" version = "0.1.82"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6e0c28dcc82d7c8ead5cb13beb15405b57b8546e93215673ff8ca0349a028107" checksum = "a27b8a3a6e1a44fa4c8baf1f653e4172e81486d4941f2237e20dc2d0cf4ddff1"
dependencies = [ dependencies = [
"proc-macro2", "proc-macro2",
"quote", "quote",
@ -398,7 +398,7 @@ checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
[[package]] [[package]]
name = "attester" name = "attester"
version = "0.1.0" version = "0.1.0"
source = "git+https://github.com/confidential-containers/guest-components?rev=02af65abc984f91eb97ac7a6b7ff3acce9746334#02af65abc984f91eb97ac7a6b7ff3acce9746334" source = "git+https://github.com/confidential-containers/guest-components?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"async-trait", "async-trait",
@ -1157,7 +1157,7 @@ checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7"
[[package]] [[package]]
name = "crypto" name = "crypto"
version = "0.1.0" version = "0.1.0"
source = "git+https://github.com/confidential-containers/guest-components?rev=02af65abc984f91eb97ac7a6b7ff3acce9746334#02af65abc984f91eb97ac7a6b7ff3acce9746334" source = "git+https://github.com/confidential-containers/guest-components?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e"
dependencies = [ dependencies = [
"aes-gcm", "aes-gcm",
"anyhow", "anyhow",
@ -2463,7 +2463,7 @@ dependencies = [
[[package]] [[package]]
name = "image-rs" name = "image-rs"
version = "0.1.0" version = "0.1.0"
source = "git+https://github.com/confidential-containers/guest-components?rev=02af65abc984f91eb97ac7a6b7ff3acce9746334#02af65abc984f91eb97ac7a6b7ff3acce9746334" source = "git+https://github.com/confidential-containers/guest-components?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"async-compression", "async-compression",
@ -2484,7 +2484,7 @@ dependencies = [
"oci-client", "oci-client",
"oci-spec", "oci-spec",
"ocicrypt-rs", "ocicrypt-rs",
"protobuf 3.5.0", "protobuf 3.5.1",
"reqwest", "reqwest",
"sequoia-openpgp", "sequoia-openpgp",
"serde", "serde",
@ -2800,7 +2800,7 @@ dependencies = [
"opentelemetry", "opentelemetry",
"procfs 0.12.0", "procfs 0.12.0",
"prometheus", "prometheus",
"protobuf 3.5.0", "protobuf 3.5.1",
"protocols", "protocols",
"regex", "regex",
"regorus", "regorus",
@ -2890,7 +2890,7 @@ dependencies = [
[[package]] [[package]]
name = "kbc" name = "kbc"
version = "0.1.0" version = "0.1.0"
source = "git+https://github.com/confidential-containers/guest-components?rev=02af65abc984f91eb97ac7a6b7ff3acce9746334#02af65abc984f91eb97ac7a6b7ff3acce9746334" source = "git+https://github.com/confidential-containers/guest-components?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"async-trait", "async-trait",
@ -2919,7 +2919,7 @@ dependencies = [
[[package]] [[package]]
name = "kbs_protocol" name = "kbs_protocol"
version = "0.1.0" version = "0.1.0"
source = "git+https://github.com/confidential-containers/guest-components?rev=02af65abc984f91eb97ac7a6b7ff3acce9746334#02af65abc984f91eb97ac7a6b7ff3acce9746334" source = "git+https://github.com/confidential-containers/guest-components?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"async-trait", "async-trait",
@ -2942,13 +2942,14 @@ dependencies = [
[[package]] [[package]]
name = "krata-tokio-tar" name = "krata-tokio-tar"
version = "0.4.0" version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ba844968838c1c5892da2116e5f744bceab2b43af34539abdd6cd3975eaca973" checksum = "e8bd5fee9b96acb5fc36b401896d601e6fdcce52b0e651ce24a3b21fb524e79f"
dependencies = [ dependencies = [
"filetime", "filetime",
"futures-core", "futures-core",
"libc", "libc",
"portable-atomic",
"redox_syscall 0.3.5", "redox_syscall 0.3.5",
"tokio", "tokio",
"tokio-stream", "tokio-stream",
@ -3699,7 +3700,7 @@ dependencies = [
[[package]] [[package]]
name = "ocicrypt-rs" name = "ocicrypt-rs"
version = "0.1.0" version = "0.1.0"
source = "git+https://github.com/confidential-containers/guest-components?rev=02af65abc984f91eb97ac7a6b7ff3acce9746334#02af65abc984f91eb97ac7a6b7ff3acce9746334" source = "git+https://github.com/confidential-containers/guest-components?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e"
dependencies = [ dependencies = [
"aes", "aes",
"anyhow", "anyhow",
@ -3712,7 +3713,7 @@ dependencies = [
"kbc", "kbc",
"lazy_static", "lazy_static",
"pin-project-lite", "pin-project-lite",
"protobuf 3.5.0", "protobuf 3.5.1",
"ring", "ring",
"serde", "serde",
"serde_json", "serde_json",
@ -4119,6 +4120,12 @@ dependencies = [
"universal-hash", "universal-hash",
] ]
[[package]]
name = "portable-atomic"
version = "1.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da544ee218f0d287a911e9c99a39a8c9bc8fcad3cb8db5959940044ecfc67265"
[[package]] [[package]]
name = "powerfmt" name = "powerfmt"
version = "0.2.0" version = "0.2.0"
@ -4312,9 +4319,9 @@ checksum = "106dd99e98437432fed6519dedecfade6a06a73bb7b2a1e019fdd2bee5778d94"
[[package]] [[package]]
name = "protobuf" name = "protobuf"
version = "3.5.0" version = "3.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "df67496db1a89596beaced1579212e9b7c53c22dca1d9745de00ead76573d514" checksum = "0bcc343da15609eaecd65f8aa76df8dc4209d325131d8219358c0aaaebab0bf6"
dependencies = [ dependencies = [
"once_cell", "once_cell",
"protobuf-support", "protobuf-support",
@ -4332,13 +4339,13 @@ dependencies = [
[[package]] [[package]]
name = "protobuf-codegen" name = "protobuf-codegen"
version = "3.5.0" version = "3.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "eab09155fad2d39333d3796f67845d43e29b266eea74f7bc93f153f707f126dc" checksum = "c4d0cde5642ea4df842b13eb9f59ea6fafa26dcb43e3e1ee49120e9757556189"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"once_cell", "once_cell",
"protobuf 3.5.0", "protobuf 3.5.1",
"protobuf-parse", "protobuf-parse",
"regex", "regex",
"tempfile", "tempfile",
@ -4347,14 +4354,14 @@ dependencies = [
[[package]] [[package]]
name = "protobuf-parse" name = "protobuf-parse"
version = "3.5.0" version = "3.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1a16027030d4ec33e423385f73bb559821827e9ec18c50e7874e4d6de5a4e96f" checksum = "1b0e9b447d099ae2c4993c0cbb03c7a9d6c937b17f2d56cfc0b1550e6fcfdb76"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"indexmap 2.2.6", "indexmap 2.2.6",
"log", "log",
"protobuf 3.5.0", "protobuf 3.5.1",
"protobuf-support", "protobuf-support",
"tempfile", "tempfile",
"thiserror", "thiserror",
@ -4363,9 +4370,9 @@ dependencies = [
[[package]] [[package]]
name = "protobuf-support" name = "protobuf-support"
version = "3.5.0" version = "3.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "70e2d30ab1878b2e72d1e2fc23ff5517799c9929e2cf81a8516f9f4dcf2b9cf3" checksum = "f0766e3675a627c327e4b3964582594b0e8741305d628a98a5de75a1d15f99b9"
dependencies = [ dependencies = [
"thiserror", "thiserror",
] ]
@ -4377,7 +4384,7 @@ dependencies = [
"async-trait", "async-trait",
"kata-sys-util", "kata-sys-util",
"oci-spec", "oci-spec",
"protobuf 3.5.0", "protobuf 3.5.1",
"serde", "serde",
"serde_json", "serde_json",
"ttrpc", "ttrpc",
@ -4704,7 +4711,7 @@ dependencies = [
[[package]] [[package]]
name = "resource_uri" name = "resource_uri"
version = "0.1.0" version = "0.1.0"
source = "git+https://github.com/confidential-containers/guest-components?rev=02af65abc984f91eb97ac7a6b7ff3acce9746334#02af65abc984f91eb97ac7a6b7ff3acce9746334" source = "git+https://github.com/confidential-containers/guest-components?rev=1db6c3a87665dde58d0efa56f4e4af5fcd19620e#1db6c3a87665dde58d0efa56f4e4af5fcd19620e"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"serde", "serde",
@ -4944,7 +4951,7 @@ dependencies = [
"nix 0.24.3", "nix 0.24.3",
"oci-spec", "oci-spec",
"path-absolutize", "path-absolutize",
"protobuf 3.5.0", "protobuf 3.5.1",
"protocols", "protocols",
"regex", "regex",
"rlimit", "rlimit",
@ -6185,8 +6192,8 @@ dependencies = [
"libc", "libc",
"log", "log",
"nix 0.26.4", "nix 0.26.4",
"protobuf 3.5.0", "protobuf 3.5.1",
"protobuf-codegen 3.5.0", "protobuf-codegen 3.5.1",
"thiserror", "thiserror",
"tokio", "tokio",
"tokio-vsock 0.4.0", "tokio-vsock 0.4.0",
@ -6200,7 +6207,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "94d7f7631d7a9ebed715a47cd4cb6072cbc7ae1d4ec01598971bbec0024340c2" checksum = "94d7f7631d7a9ebed715a47cd4cb6072cbc7ae1d4ec01598971bbec0024340c2"
dependencies = [ dependencies = [
"protobuf 2.28.0", "protobuf 2.28.0",
"protobuf-codegen 3.5.0", "protobuf-codegen 3.5.1",
"protobuf-support", "protobuf-support",
"ttrpc-compiler", "ttrpc-compiler",
] ]

2
src/agent/Cargo.toml
View File

@ -77,7 +77,7 @@ strum = "0.26.2"
strum_macros = "0.26.2" strum_macros = "0.26.2"
# Image pull/decrypt # Image pull/decrypt
image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "02af65abc984f91eb97ac7a6b7ff3acce9746334", default-features = false, optional = true } image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "1db6c3a87665dde58d0efa56f4e4af5fcd19620e", default-features = false, optional = true }
# Agent Policy # Agent Policy
regorus = { version = "0.1.4", default-features = false, features = [ regorus = { version = "0.1.4", default-features = false, features = [

6
tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats
View File

@ -79,7 +79,8 @@ function create_pod_yaml_with_encrypted_image() {
echo "Pod ${kata_pod_with_encrypted_image}: $(cat ${kata_pod_with_encrypted_image})" echo "Pod ${kata_pod_with_encrypted_image}: $(cat ${kata_pod_with_encrypted_image})"
assert_pod_fail "${kata_pod_with_encrypted_image}" assert_pod_fail "${kata_pod_with_encrypted_image}"
assert_logs_contain "${node}" kata "${node_start_time}" 'failed to get decrypt key no suitable key found for decrypting layer key' assert_logs_contain "${node}" kata "${node_start_time}" 'failed to get decrypt key'
assert_logs_contain "${node}" kata "${node_start_time}" 'no suitable key found for decrypting layer key'
} }
@ -106,7 +107,8 @@ function create_pod_yaml_with_encrypted_image() {
echo "Pod ${kata_pod_with_encrypted_image}: $(cat ${kata_pod_with_encrypted_image})" echo "Pod ${kata_pod_with_encrypted_image}: $(cat ${kata_pod_with_encrypted_image})"
assert_pod_fail "${kata_pod_with_encrypted_image}" assert_pod_fail "${kata_pod_with_encrypted_image}"
assert_logs_contain "${node}" kata "${node_start_time}" 'failed to get decrypt key no suitable key found for decrypting layer key' assert_logs_contain "${node}" kata "${node_start_time}" 'failed to get decrypt key'
assert_logs_contain "${node}" kata "${node_start_time}" 'no suitable key found for decrypting layer key'
} }
teardown() { teardown() {

6
versions.yaml
View File

@ -231,15 +231,15 @@ externals:
coco-guest-components: coco-guest-components:
description: "Provides attested key unwrapping for image decryption" description: "Provides attested key unwrapping for image decryption"
url: "https://github.com/confidential-containers/guest-components/" url: "https://github.com/confidential-containers/guest-components/"
version: "d996c692207a983426ae0043952d15ed18e84f66" version: "1db6c3a87665dde58d0efa56f4e4af5fcd19620e"
toolchain: "1.76.0" toolchain: "1.76.0"
coco-trustee: coco-trustee:
description: "Provides attestation and secret delivery components" description: "Provides attestation and secret delivery components"
url: "https://github.com/confidential-containers/trustee" url: "https://github.com/confidential-containers/trustee"
version: "e890fc90c384207668fa3a4d6a2f2a2d652797ee" version: "6f767fa15fb0119dcae5ff77cad9987741e4e788"
image: "ghcr.io/confidential-containers/staged-images/kbs" image: "ghcr.io/confidential-containers/staged-images/kbs"
image_tag: "e890fc90c384207668fa3a4d6a2f2a2d652797ee" image_tag: "6f767fa15fb0119dcae5ff77cad9987741e4e788"
toolchain: "1.74.0" toolchain: "1.74.0"
crio: crio: