confidential-containers · Xynnn007 · Sep 6, 2024 · Sep 6, 2024 · Sep 6, 2024 · Sep 6, 2024
@@ -118,11 +118,11 @@ jobs:
 
       - name: Run cargo test - kata-cc (rust-tls version) with keywrap-grpc + keywrap-jwe
         run: |
-          sudo -E PATH=$PATH -s cargo test -p image-rs --no-default-features --features=encryption-ring,keywrap-grpc,snapshot-overlayfs,signature-cosign-rustls,signature-simple,getresource,oci-client/rustls-tls,keywrap-jwe
+          sudo -E PATH=$PATH -s cargo test -p image-rs --no-default-features --features=encryption-ring,keywrap-grpc,snapshot-overlayfs,signature-cosign-rustls,signature-simple,kbs,oci-client/rustls-tls,keywrap-jwe
 
       - name: Run cargo test - kata-cc (native-tls version) with keywrap-grpc + keywrap-jwe
         run: |
-          sudo -E PATH=$PATH -s cargo test -p image-rs --no-default-features --features=encryption-openssl,keywrap-grpc,snapshot-overlayfs,signature-cosign-native,signature-simple,getresource,oci-client/native-tls,keywrap-jwe
+          sudo -E PATH=$PATH -s cargo test -p image-rs --no-default-features --features=encryption-openssl,keywrap-grpc,snapshot-overlayfs,signature-cosign-native,signature-simple,kbs,oci-client/native-tls,keywrap-jwe
 
       - name: Run cargo test - kata-cc (rust-tls version) with keywrap-ttrpc (default) + keywrap-jwe
         run: |

@@ -22,6 +22,7 @@
         "authenticated_registry_credentials_uri": "kbs:///default/credential/test",
         "image_pull_proxy": "http://127.0.0.1:5432",
         "skip_proxy_ips": "192.168.0.1,localhost",
+        "extra_root_certificates": "-----BEGIN CERTIFICATE-----\nMIIFTDCCAvugAwIBAgIBADBGBgkqhkiG9w0BAQowOaAPMA0GCWCGSAFlAwQCAgUA\noRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAgUAogMCATCjAwIBATB7MRQwEgYD\nVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDASBgNVBAcMC1NhbnRhIENs\nYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5jZWQgTWljcm8gRGV2aWNl\nczESMBAGA1UEAwwJU0VWLU1pbGFuMB4XDTIzMDEyNDE3NTgyNloXDTMwMDEyNDE3\nNTgyNlowejEUMBIGA1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVTMRQwEgYD\nVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExHzAdBgNVBAoMFkFkdmFuY2Vk\nIE1pY3JvIERldmljZXMxETAPBgNVBAMMCFNFVi1WQ0VLMHYwEAYHKoZIzj0CAQYF\nK4EEACIDYgAExmG1ZbuoAQK93USRyZQcsyobfbaAEoKEELf/jK39cOVJt1t4s83W\nXM3rqIbS7qHUHQw/FGyOvdaEUs5+wwxpCWfDnmJMAQ+ctgZqgDEKh1NqlOuuKcKq\n2YAWE5cTH7sHo4IBFjCCARIwEAYJKwYBBAGceAEBBAMCAQAwFwYJKwYBBAGceAEC\nBAoWCE1pbGFuLUIwMBEGCisGAQQBnHgBAwEEAwIBAzARBgorBgEEAZx4AQMCBAMC\nAQAwEQYKKwYBBAGceAEDBAQDAgEAMBEGCisGAQQBnHgBAwUEAwIBADARBgorBgEE\nAZx4AQMGBAMCAQAwEQYKKwYBBAGceAEDBwQDAgEAMBEGCisGAQQBnHgBAwMEAwIB\nCDARBgorBgEEAZx4AQMIBAMCAXMwTQYJKwYBBAGceAEEBEDDhCejDUx6+dlvehW5\ncmmCWmTLdqI1L/1dGBFdia1HP46MC82aXZKGYSutSq37RCYgWjueT+qCMBE1oXDk\nd1JOMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0B\nAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBA4ICAQACgCai9x8DAWzX/2IelNWm\nituEBSiq9C9eDnBEckQYikAhPasfagnoWFAtKu/ZWTKHi+BMbhKwswBS8W0G1ywi\ncUWGlzigI4tdxxf1YBJyCoTSNssSbKmIh5jemBfrvIBo1yEd+e56ZJMdhN8e+xWU\nbvovUC2/7Dl76fzAaACLSorZUv5XPJwKXwEOHo7FIcREjoZn+fKjJTnmdXce0LD6\n9RHr+r+ceyE79gmK31bI9DYiJoL4LeGdXZ3gMOVDR1OnDos5lOBcV+quJ6JujpgH\nd9g3Sa7Du7pusD9Fdap98ocZslRfFjFi//2YdVM4MKbq6IwpYNB+2PCEKNC7SfbO\nNgZYJuPZnM/wViES/cP7MZNJ1KUKBI9yh6TmlSsZZOclGJvrOsBZimTXpATjdNMt\ncluKwqAUUzYQmU7bf2TMdOXyA9iH5wIpj1kWGE1VuFADTKILkTc6LzLzOWCofLxf\nonhTtSDtzIv/uel547GZqq+rVRvmIieEuEvDETwuookfV6qu3D/9KuSr9xiznmEg\nxynud/f525jppJMcD/ofbQxUZuGKvb3f3zy+aLxqidoX7gca2Xd9jyUy5Y/83+ZN\nbz4PZx81UJzXVI9ABEh8/xilATh1ZxOePTBJjN7lgr0lXtKYjV/43yyxgUYrXNZS\noLSG2dLCK9mjjraPjau34Q==\n-----END CERTIFICATE-----",
         "work_dir": "/run/image-rs"
     }
 }
@@ -132,6 +132,47 @@ image_pull_proxy = "http://127.0.0.1:5432"
 # By default this value is not set.
 skip_proxy_ips = "192.168.0.1,localhost"
 
+# To support registries with self signed certs. This config item
+# is used to add extra trusted root certifications. The certificates
+# must be encoded by PEM.
+#
+# By default this value is not set.
+extra_root_certificates = [
+"""
+-----BEGIN CERTIFICATE-----
+MIIFTDCCAvugAwIBAgIBADBGBgkqhkiG9w0BAQowOaAPMA0GCWCGSAFlAwQCAgUA
+oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAgUAogMCATCjAwIBATB7MRQwEgYD
+VQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDASBgNVBAcMC1NhbnRhIENs
+YXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5jZWQgTWljcm8gRGV2aWNl
+czESMBAGA1UEAwwJU0VWLU1pbGFuMB4XDTIzMDEyNDE3NTgyNloXDTMwMDEyNDE3
+NTgyNlowejEUMBIGA1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVTMRQwEgYD
+VQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExHzAdBgNVBAoMFkFkdmFuY2Vk
+IE1pY3JvIERldmljZXMxETAPBgNVBAMMCFNFVi1WQ0VLMHYwEAYHKoZIzj0CAQYF
+K4EEACIDYgAExmG1ZbuoAQK93USRyZQcsyobfbaAEoKEELf/jK39cOVJt1t4s83W
+XM3rqIbS7qHUHQw/FGyOvdaEUs5+wwxpCWfDnmJMAQ+ctgZqgDEKh1NqlOuuKcKq
+2YAWE5cTH7sHo4IBFjCCARIwEAYJKwYBBAGceAEBBAMCAQAwFwYJKwYBBAGceAEC
+BAoWCE1pbGFuLUIwMBEGCisGAQQBnHgBAwEEAwIBAzARBgorBgEEAZx4AQMCBAMC
+AQAwEQYKKwYBBAGceAEDBAQDAgEAMBEGCisGAQQBnHgBAwUEAwIBADARBgorBgEE
+AZx4AQMGBAMCAQAwEQYKKwYBBAGceAEDBwQDAgEAMBEGCisGAQQBnHgBAwMEAwIB
+CDARBgorBgEEAZx4AQMIBAMCAXMwTQYJKwYBBAGceAEEBEDDhCejDUx6+dlvehW5
+cmmCWmTLdqI1L/1dGBFdia1HP46MC82aXZKGYSutSq37RCYgWjueT+qCMBE1oXDk
+d1JOMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0B
+AQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBA4ICAQACgCai9x8DAWzX/2IelNWm
+ituEBSiq9C9eDnBEckQYikAhPasfagnoWFAtKu/ZWTKHi+BMbhKwswBS8W0G1ywi
+cUWGlzigI4tdxxf1YBJyCoTSNssSbKmIh5jemBfrvIBo1yEd+e56ZJMdhN8e+xWU
+bvovUC2/7Dl76fzAaACLSorZUv5XPJwKXwEOHo7FIcREjoZn+fKjJTnmdXce0LD6
+9RHr+r+ceyE79gmK31bI9DYiJoL4LeGdXZ3gMOVDR1OnDos5lOBcV+quJ6JujpgH
+d9g3Sa7Du7pusD9Fdap98ocZslRfFjFi//2YdVM4MKbq6IwpYNB+2PCEKNC7SfbO
+NgZYJuPZnM/wViES/cP7MZNJ1KUKBI9yh6TmlSsZZOclGJvrOsBZimTXpATjdNMt
+cluKwqAUUzYQmU7bf2TMdOXyA9iH5wIpj1kWGE1VuFADTKILkTc6LzLzOWCofLxf
+onhTtSDtzIv/uel547GZqq+rVRvmIieEuEvDETwuookfV6qu3D/9KuSr9xiznmEg
+xynud/f525jppJMcD/ofbQxUZuGKvb3f3zy+aLxqidoX7gca2Xd9jyUy5Y/83+ZN
+bz4PZx81UJzXVI9ABEh8/xilATh1ZxOePTBJjN7lgr0lXtKYjV/43yyxgUYrXNZS
+oLSG2dLCK9mjjraPjau34Q==
+-----END CERTIFICATE-----
+"""
+]
+
 # The path to store the pulled image layer data.
 #
 # This value defaults to `/run/image-rs/`.

@@ -8,6 +8,7 @@ use std::{env, fs, path::Path};
 use anyhow::*;
 use attestation_agent::config::aa_kbc_params::AaKbcParams;
 use config::{Config, File};
+use image_rs::config::ImageConfig;
 use log::{debug, info};
 use serde::Deserialize;
 
@@ -47,82 +48,6 @@ pub struct Credential {
     pub path: String,
 }
 
-#[derive(Clone, Deserialize, Debug, PartialEq, Default)]
-pub struct ImageConfiguration {
-    /// If any image security policy would be used to control the image pulling
-    /// like signature verification, this field is used to set the URI of the
-    /// policy file.
-    ///
-    /// Now it supports two different forms:
-    /// - `KBS URI`: the iamge security policy will be fetched from KBS.
-    ///     e.g. [`image_rs::config::POLICY_FILE_PATH`]
-    /// - `Local Path`: the security policy will be fetched from somewhere locally.
-    ///     e.g. `file:///etc/image-policy.json`.
-    ///
-    /// The policy follows the format of
-    /// <https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md>.
-    ///
-    /// At the same time, some enhencements based on CoCo is used, that is the
-    /// `keyPath` field can be filled with a KBS URI like `kbs:///default/key/1`
-    ///
-    /// This value defaults to `None`.
-    pub image_security_policy_uri: Option<String>,
-
-    /// Sigstore config file URI for simple signing scheme.
-    ///
-    /// When `image_security_policy_uri` is set and `SimpleSigning` (signedBy) is
-    /// used in the policy, the signatures of the images would be used for image
-    /// signature validation. This policy will record where the signatures is.
-    ///
-    /// Now it supports two different forms:
-    /// - `KBS URI`: the sigstore config file will be fetched from KBS,
-    ///     e.g. [`image_rs::config::SIG_STORE_CONFIG_DEFAULT_FILE`].
-    /// - `Local Path`: the sigstore config file will be fetched from somewhere locally,
-    ///     e.g. `file:///etc/simple-signing.yaml`.
-    ///
-    /// This value defaults to `None`.
-    pub sigstore_config_uri: Option<String>,
-
-    /// If any credential auth (Base) would be used to connect to download
-    /// image from private registry, this field is used to set the URI of the
-    /// credential file.
-    ///
-    /// Now it supports two different forms:
-    /// - `KBS URI`: the registry auth will be fetched from KBS,
-    ///     e.g. [`image_rs::config::AUTH_FILE_PATH`].
-    /// - `Local Path`: the registry auth will be fetched from somewhere locally,
-    ///     e.g. `file:///etc/image-registry-auth.json`.
-    ///
-    /// This value defaults to `None`.
-    pub authenticated_registry_credentials_uri: Option<String>,
-
-    /// The maximum number of layers downloaded concurrently when
-    /// pulling one specific image.
-    ///
-    /// This defaults to [`image_rs::config::DEFAULT_MAX_CONCURRENT_DOWNLOAD`].
-    pub max_concurrent_layer_downloads_per_image: Option<usize>,
-
-    /// Proxy that will be used to pull image
-    ///
-    /// This value defaults to `None`.
-    pub image_pull_proxy: Option<String>,
-
-    /// No proxy env that will be used to pull image.
-    ///
-    /// This will ensure that when we access the image registry with specified
-    /// IPs, the `image_pull_proxy` will not be used.
-    ///
-    /// If `image_pull_proxy` is not set, this field will do nothing.
-    ///
-    /// This value defaults to `None`.
-    pub skip_proxy_ips: Option<String>,
-
-    /// The path to store the pulled image layer data.
-    ///
-    /// This value defaults to [`image_rs::config::DEFAULT_WORK_DIR`].
-    pub work_dir: Option<String>,
-}
-
 #[derive(Clone, Deserialize, Debug, PartialEq)]
 pub struct CdhConfig {
     pub kbc: KbsConfig,
@@ -131,7 +56,7 @@ pub struct CdhConfig {
     pub credentials: Vec<Credential>,
 
     #[serde(default)]
-    pub image: ImageConfiguration,
+    pub image: ImageConfig,
 
     pub socket: String,
 }
@@ -161,7 +86,7 @@ impl CdhConfig {
                     kbc: KbsConfig::new()?,
                     credentials: Vec::new(),
                     socket: DEFAULT_CDH_SOCKET_ADDR.into(),
-                    image: ImageConfiguration::default(),
+                    image: ImageConfig::default(),
                 }
             }
         };
@@ -239,9 +164,10 @@ mod tests {
     use std::{env, io::Write};
 
     use anyhow::anyhow;
+    use image_rs::config::ImageConfig;
     use rstest::rstest;
 
-    use crate::{config::DEFAULT_CDH_SOCKET_ADDR, CdhConfig, ImageConfiguration, KbsConfig};
+    use crate::{config::DEFAULT_CDH_SOCKET_ADDR, CdhConfig, KbsConfig};
 
     #[rstest]
     #[case(
@@ -258,6 +184,8 @@ max_concurrent_layer_downloads_per_image = 3
 sigstore_config_uri = "kbs:///default/sigstore-config/test"
 image_security_policy_uri = "kbs:///default/security-policy/test"
 authenticated_registry_credentials_uri = "kbs:///default/credential/test"
+extra_root_certificates = ["cert1", "cert2"]
+image_pull_proxy = "http://127.0.0.1:8080"
     "#,
         Some(CdhConfig {
             kbc: KbsConfig {
@@ -266,14 +194,15 @@ authenticated_registry_credentials_uri = "kbs:///default/credential/test"
                 kbs_cert: Some("".to_string()),
             },
             credentials: vec![],
-            image: ImageConfiguration {
-                max_concurrent_layer_downloads_per_image: Some(3),
+            image: ImageConfig {
+                max_concurrent_layer_downloads_per_image: 3,
                 sigstore_config_uri: Some("kbs:///default/sigstore-config/test".to_string()),
                 image_security_policy_uri: Some("kbs:///default/security-policy/test".to_string()),
                 authenticated_registry_credentials_uri: Some("kbs:///default/credential/test".to_string()),
-                image_pull_proxy: None,
+                image_pull_proxy: Some("http://127.0.0.1:8080".into()),
                 skip_proxy_ips: None,
-                work_dir: None,
+                extra_root_certificates: vec!["cert1".into(), "cert2".into()],
+                ..Default::default()
             },
             socket: "unix:///run/confidential-containers/cdh.sock".to_string(),
         })
@@ -303,14 +232,13 @@ name = "offline_fs_kbc"
             kbs_cert: None,
         },
         credentials: vec![],
-        image: ImageConfiguration {
-            max_concurrent_layer_downloads_per_image: None,
+        image: ImageConfig {
                 sigstore_config_uri: None,
                 image_security_policy_uri: None,
                 authenticated_registry_credentials_uri: None,
                 image_pull_proxy: None,
                 skip_proxy_ips: None,
-                work_dir: None,
+                ..Default::default()
         },
         socket: DEFAULT_CDH_SOCKET_ADDR.to_string(),
     })
@@ -330,14 +258,13 @@ some_undefined_field = "unknown value"
             kbs_cert: None,
         },
         credentials: vec![],
-        image: ImageConfiguration {
-            max_concurrent_layer_downloads_per_image: None,
+        image: ImageConfig {
                 sigstore_config_uri: None,
                 image_security_policy_uri: None,
                 authenticated_registry_credentials_uri: None,
                 image_pull_proxy: None,
                 skip_proxy_ips: None,
-                work_dir: None,
+                ..Default::default()
         },
         socket: DEFAULT_CDH_SOCKET_ADDR.to_string(),
     })
@@ -370,7 +297,7 @@ some_undefined_field = "unknown value"
             },
             credentials: Vec::new(),
             socket: DEFAULT_CDH_SOCKET_ADDR.into(),
-            image: crate::ImageConfiguration::default(),
+            image: ImageConfig::default(),
         };
         assert_eq!(config, expected);