kbs/resource: Add nebula plugin

The nebula plugin can be used to deliver credentials for nodes (confidential PODs or VMs) to join a Nebula overlay network. Within the nebula network, the communication between nodes is automatically encrypted by Nebula. A nebula credential can be requested using the kbs-client: kbs-client --url http://127.0.0.1:8080 \ get-resource \ --path 'plugin/nebula/credential?ip[ip]=10.11.12.13&ip[netbits]=21&name=pod1' at least the IPv4 address (in CIDR notation) and the name of the node must be provided in the query string. The other parameters supported can be found in the struct NebulaCredentialParams. After receiving a credential request, the nebula plugin will call the nebula-cert binary to create a key pair and sign a certificate using the Nebula CA. The generated node.crt and node.key, as well as the ca.rt are then returned to the caller. During the nebula-plugin initialization, a self signed Nebula CA can be created if 'ca_generation_policy = 1' in the nebula-config.toml, the file contains all parameters supported. Another option is to pre-install a ca.key and ca.crt, and set 'ca_generation_policy = 2'. The nebula-plugin cargo feature is set by default, however the plugin itself is not initialized by default. In order to initialize it, you need to add 'nebula' to 'manager_plugin_config.enabled_plugins' in the kbs-config.toml. Closes confidential-containers#396 Signed-off-by: Claudio Carvalho <[email protected]>
cclaudio · Jul 31, 2024 · 46ebcc8 · 46ebcc8
1 parent c903d2d
commit 46ebcc8
Show file tree

Hide file tree

Showing 8 changed files with 563 additions and 3 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -40,6 +40,7 @@ reqwest = "0.12"
 rstest = "0.18.1"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0.89"
+serde_qs = "0.13.0"
 serde_with = { version = "1.11.0", features = ["base64", "hex"] }
 serial_test = "0.9.0"
 sha2 = "0.10"

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -18,6 +18,7 @@ services:
       - ./kbs/data/kbs-plugin:/opt/confidential-containers/kbs/plugin:rw
       - ./kbs/config/public.pub:/opt/confidential-containers/kbs/user-keys/public.pub
       - ./kbs/config/docker-compose/kbs-config.toml:/etc/kbs/kbs-config.toml
+      - ./kbs/config/plugin/nebula-config.toml:/etc/kbs/plugin/nebula-config.toml
     depends_on:
     - as
 

diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml
@@ -41,6 +41,7 @@ rustls = ["actix-web/rustls", "dep:rustls", "dep:rustls-pemfile"]
 
 # Use openssl crypto stack for KBS
 openssl = ["actix-web/openssl", "dep:openssl"]
+nebula-plugin = []
 
 # Use aliyun KMS as KBS backend
 aliyun = ["kms/aliyun"]
@@ -76,16 +77,17 @@ semver = "1.0.16"
 serde = { workspace = true, features = ["derive"] }
 serde_json.workspace = true
 strum.workspace = true
+serde_qs.workspace = true
 thiserror.workspace = true
 time = { version = "0.3.23", features = ["std"] }
 tokio.workspace = true
 tonic = { workspace = true, optional = true }
 uuid = { version = "1.2.2", features = ["serde", "v4"] }
 openssl = { version = "0.10.46", optional = true }
+tempfile.workspace = true
 
 [dev-dependencies]
-tempfile.workspace = true
 rstest.workspace = true
 
 [build-dependencies]
-tonic-build = { workspace = true, optional = true }
+tonic-build = { workspace = true, optional = true }
diff --git a/kbs/config/plugin/nebula-config.toml b/kbs/config/plugin/nebula-config.toml
@@ -0,0 +1,69 @@
+# Required: <String>
+# CA certificate path
+crt_path = "/opt/confidential-containers/kbs/plugin/nebula/ca/ca.crt"
+
+# Required: <String>
+# CA key path
+key_path = "/opt/confidential-containers/kbs/plugin/nebula/ca/ca.key"
+
+# Required: <u32>
+# Certificate Authority generation policy
+#
+# 1 = Create a self signed CA only if
+#     crt_path/key_path not found
+#
+# 2 = Never generate self signed CA as
+#     both crt_path and key_path are pre-installed
+ca_generation_policy = 1
+
+[self_signed_ca_config]
+
+# Required: <String>
+# Name of the certificate authority
+name = "Nebula CA for Trustee KBS"
+
+# Optional: <u32>
+# Argon2 iterations parameter used for encrypted
+# private key passphrase (default 1)
+## argon_iterations = 1
+
+# Optional: <u32>
+# Argon2 memory parameter (in KiB) used for encrypted
+# private key passphrase (default 2097152)
+## argon_memory = 2097152
+
+# Optional: <u32>
+# Argon2 parallelism parameter used for encrypted private
+# key passphrase (default 4)
+## argon_parallelism = 4
+
+# Optional: <String>
+# EdDSA/ECDSA Curve (25519, P256) (default "25519")
+## curve = "25519"
+
+# Optional: <String>
+# Amount of time the certificate should be valid for.
+# Valid time units are seconds:
+# "s", minutes: "m", hours: "h" (default 8760h0m0s)
+## duration = "8760h0m0s"
+
+# Optional: <String>
+# Comma separated list of groups. This will limit which
+# groups subordinate certs can use
+## groups = "servers,ssh"
+
+# Optional: <String>
+# Comma separated list of ipv4 address and network
+# in CIDR notation. This will limit which ipv4 addresses and
+# networks subordinate certs can use for ip addresses
+## ips = "192.168.100.10/24"
+
+# Optional: <String>
+# Path to write a QR code image (png) of the certificate
+## out_qr = "/opt/confidential-containers/kbs/plugin/nebula/ca/ca.png"
+
+# Optional: <String>
+# Comma separated list of ipv4 address and network
+# in CIDR notation. This will limit which ipv4 addresses and
+# networks subordinate certs can use in subnets
+## subnets = "192.168.86.0/24"
diff --git a/kbs/docker/coco-as-grpc/Dockerfile b/kbs/docker/coco-as-grpc/Dockerfile
@@ -2,7 +2,7 @@ FROM rust:latest as builder
 ARG ARCH=x86_64
 ARG HTTPS_CRYPTO=rustls
 ARG ALIYUN=false
-ARG PLUGINS=""
+ARG PLUGINS="nebula-plugin"
 
 WORKDIR /usr/src/kbs
 COPY . .
@@ -13,8 +13,13 @@ RUN apt-get update && apt install -y protobuf-compiler git
 RUN cd kbs && make AS_FEATURE=coco-as-grpc HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} PLUGINS=${PLUGINS} && \
     make install-kbs
 
+# Install Nebula
+RUN wget https://github.com/slackhq/nebula/releases/download/v1.8.2/nebula-linux-amd64.tar.gz
+RUN tar -C /usr/local/bin -xzf nebula-linux-amd64.tar.gz
+
 FROM ubuntu:22.04
 
 LABEL org.opencontainers.image.source="https://github.com/confidential-containers/trustee/kbs"
 
 COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs
+COPY --from=builder /usr/local/bin/nebula-cert /usr/local/bin/nebula-cert
diff --git a/kbs/docs/config.md b/kbs/docs/config.md
@@ -92,6 +92,7 @@ List of supported plugins that can be added to `enabled_plugins`.
 
 | Plugin name           | Plugin Description                               | Available Cargo Features      |
 |-----------------------|--------------------------------------------------|-------------------------------|
+| `nebula`              | Provide resources to support the creation of a Nebula encrypted overlay network between nodes.  | `nebula-plugin` |
 
 ### Native Attestation