kata-types: Implement InitData retrieval from Pod annotation

This commit implements the retrieval and processing of InitData provided via a Pod annotation. Specifically, it enables runtime-rs to: (1) Parse the "io.katacontainers.config.hypervisor.cc_init_data" annotation from the Pod YAML. (2) Perform reverse operations on the annotation value: base64 decoding followed by gzip decompression. (3) Deserialize the decompressed data into the internal InitData structure. (4) Serialize the resulting InitData into a string and store it in the Configuration. This allows users to inject configuration data into the TEE Guest by encoding and compressing it and passing it as an annotation in the Pod configuration. This mechanism supports scenarios where dynamic config is required for Confidential Containers. Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
2025-09-17 06:48:51 +00:00 · 2025-06-13 17:21:13 +08:00
parent 4ca394f4fc
commit 9b21d062c9
1 changed files with 8 additions and 0 deletions
--- a/src/libs/kata-types/src/annotations/mod.rs
+++ b/src/libs/kata-types/src/annotations/mod.rs
@@ -15,6 +15,7 @@ use serde::Deserialize;
 use crate::config::hypervisor::{get_hypervisor_plugin, HugePageType};

 use crate::config::TomlConfig;
+use crate::initdata::add_hypervisor_initdata_overrides;
 use crate::sl;

 use self::cri_containerd::{SANDBOX_CPU_PERIOD_KEY, SANDBOX_CPU_QUOTA_KEY, SANDBOX_MEM_KEY};
@@ -271,6 +272,9 @@ pub const KATA_ANNO_CFG_HYPERVISOR_VIRTIO_FS_EXTRA_ARGS: &str =
    "io.katacontainers.config.hypervisor.virtio_fs_extra_args";
 /// A sandbox annotation to specify as the msize for 9p shares.
 pub const KATA_ANNO_CFG_HYPERVISOR_MSIZE_9P: &str = "io.katacontainers.config.hypervisor.msize_9p";
+/// The initdata annotation passed in when CVM launchs
+pub const KATA_ANNO_CFG_HYPERVISOR_INIT_DATA: &str =
+    "io.katacontainers.config.hypervisor.cc_init_data";

 // Runtime related annotations
 /// Prefix for Runtime configurations.
@@ -880,6 +884,10 @@ impl Annotation {
                        hv.security_info.validate_path(value)?;
                        hv.security_info.guest_hook_path = value.to_string();
                    }
+                    KATA_ANNO_CFG_HYPERVISOR_INIT_DATA => {
+                        hv.security_info.initdata =
+                            add_hypervisor_initdata_overrides(value).unwrap();
+                    }
                    KATA_ANNO_CFG_HYPERVISOR_ENABLE_ROOTLESS_HYPERVISOR => {
                        match self.get_value::<bool>(key) {
                            Ok(r) => {