Injections of environment variables in trustee pods

Logging with DEBUG severity is now configurable via KbsConfig Signed-off-by: Leonardo Milleri <[email protected]>
confidential-containers · Aug 13, 2024 · 8579333 · 8579333
1 parent 93b3d31
commit 8579333
Show file tree

Hide file tree

Showing 10 changed files with 68 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -218,6 +218,8 @@ You’ll need a Kubernetes cluster to run against. You can use [KIND](https://si
 
   It is recommended to uncomment the secret generation for the trustee authorization in the  [kustomization.yaml](config/samples/microservices/kustomization.yaml), for both public and private key (`kbs-auth-public-key` and `kbs-client` secrets)
 
+  For enabling logs with DEBUG severity, uncomment the `patch-env-vars.yaml` line in the  [kustomization.yaml](config/samples/microservices/kustomization.yaml).
+
   ```sh
   cd config/samples/microservices
   # or config/samples/all-in-one for the integrated mode

diff --git a/api/v1alpha1/kbsconfig_types.go b/api/v1alpha1/kbsconfig_types.go
@@ -113,6 +113,11 @@ type KbsConfigSpec struct {
 	// IbmSEConfigSpec is the struct that hosts the IBMSE specific configuration
 	// +optional
 	IbmSEConfigSpec IbmSEConfigSpec `json:"ibmSEConfigSpec,omitempty"`
+
+	// KbsEnvVars injects environment variables in the trustee pods
+	// For example, RUST_LOG=debug enables logging with DEBUG severity
+	// +optional
+	KbsEnvVars map[string]string `json:"KbsEnvVars,omitempty"`
 }
 
 // KbsConfigStatus defines the observed state of KbsConfig

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/confidentialcontainers.org_kbsconfigs.yaml b/bundle/manifests/confidentialcontainers.org_kbsconfigs.yaml
@@ -39,6 +39,13 @@ spec:
           spec:
             description: KbsConfigSpec defines the desired state of KbsConfig
             properties:
+              KbsEnvVars:
+                additionalProperties:
+                  type: string
+                description: |-
+                  KbsEnvVars injects environment variables in the trustee pods
+                  For example, RUST_LOG=debug enables logging with DEBUG severity
+                type: object
               ibmSEConfigSpec:
                 description: IbmSEConfigSpec is the struct that hosts the IBMSE specific
                   configuration

diff --git a/config/crd/bases/confidentialcontainers.org_kbsconfigs.yaml b/config/crd/bases/confidentialcontainers.org_kbsconfigs.yaml
@@ -39,6 +39,13 @@ spec:
           spec:
             description: KbsConfigSpec defines the desired state of KbsConfig
             properties:
+              KbsEnvVars:
+                additionalProperties:
+                  type: string
+                description: |-
+                  KbsEnvVars injects environment variables in the trustee pods
+                  For example, RUST_LOG=debug enables logging with DEBUG severity
+                type: object
               ibmSEConfigSpec:
                 description: IbmSEConfigSpec is the struct that hosts the IBMSE specific
                   configuration

diff --git a/config/samples/all-in-one/kustomization.yaml b/config/samples/all-in-one/kustomization.yaml
@@ -24,6 +24,8 @@ patches:
 - path: patch-tdx-config.yaml
 # uncomment the following line for injecting sample resources in kbs
 #- path: patch-kbs-resources.yaml
+# uncomment the following line for enabling DEBUG logs
+# - path: patch-env-vars.yaml
 
 resources:
 - kbsconfig_sample.yaml

diff --git a/config/samples/all-in-one/patch-env-vars.yaml b/config/samples/all-in-one/patch-env-vars.yaml
@@ -0,0 +1,8 @@
+apiVersion: confidentialcontainers.org/v1alpha1
+kind: KbsConfig
+metadata:
+  name: kbsconfig-sample
+  namespace: kbs-operator-system
+spec:
+  KbsEnvVar: 
+    RUST_LOG: debug
diff --git a/config/samples/microservices/kustomization.yaml b/config/samples/microservices/kustomization.yaml
@@ -25,6 +25,8 @@ patches:
 - path: patch-tdx-config.yaml
 # uncomment the following line for injecting sample resources in kbs
 #- path: patch-kbs-resources.yaml
+# uncomment the following line for enabling DEBUG logs
+#- path: patch-env-vars.yaml
 
 resources:
 - kbsconfig_sample.yaml

diff --git a/config/samples/microservices/patch-env-vars.yaml b/config/samples/microservices/patch-env-vars.yaml
@@ -0,0 +1,8 @@
+apiVersion: confidentialcontainers.org/v1alpha1
+kind: KbsConfig
+metadata:
+  name: kbsconfig-sample
+  namespace: kbs-operator-system
+spec:
+  KbsEnvVar: 
+    RUST_LOG: debug
diff --git a/internal/controller/kbsconfig_controller.go b/internal/controller/kbsconfig_controller.go
@@ -477,13 +477,14 @@ func (r *KbsConfigReconciler) newKbsDeployment(ctx context.Context) (*appsv1.Dep
 	}
 
 	securityContext := createSecurityContext()
-	containers := []corev1.Container{r.buildKbsContainer(kbsVM, securityContext)}
+	env := buildEnvVars(r)
+	containers := []corev1.Container{r.buildKbsContainer(kbsVM, securityContext, env)}
 
 	if kbsDeploymentType == confidentialcontainersorgv1alpha1.DeploymentTypeMicroservices {
 		// build AS container
-		containers = append(containers, r.buildAsContainer(asVM, securityContext))
+		containers = append(containers, r.buildAsContainer(asVM, securityContext, env))
 		// build RVPS container
-		containers = append(containers, r.buildRvpsContainer(rvpsVM, securityContext))
+		containers = append(containers, r.buildRvpsContainer(rvpsVM, securityContext, env))
 	}
 
 	// Create the deployment
@@ -534,7 +535,7 @@ func createSecurityContext() *corev1.SecurityContext {
 	}
 }
 
-func (r *KbsConfigReconciler) buildAsContainer(volumeMounts []corev1.VolumeMount, securityContext *corev1.SecurityContext) corev1.Container {
+func (r *KbsConfigReconciler) buildAsContainer(volumeMounts []corev1.VolumeMount, securityContext *corev1.SecurityContext, env []corev1.EnvVar) corev1.Container {
 	asImageName := os.Getenv("AS_IMAGE_NAME")
 	if asImageName == "" {
 		asImageName = DefaultAsImageName
@@ -563,10 +564,11 @@ func (r *KbsConfigReconciler) buildAsContainer(volumeMounts []corev1.VolumeMount
 		SecurityContext: securityContext,
 		// Add volume mount for config
 		VolumeMounts: volumeMounts,
+		Env:          env,
 	}
 }
 
-func (r *KbsConfigReconciler) buildRvpsContainer(volumeMounts []corev1.VolumeMount, securityContext *corev1.SecurityContext) corev1.Container {
+func (r *KbsConfigReconciler) buildRvpsContainer(volumeMounts []corev1.VolumeMount, securityContext *corev1.SecurityContext, env []corev1.EnvVar) corev1.Container {
 	rvpsImageName := os.Getenv("RVPS_IMAGE_NAME")
 	if rvpsImageName == "" {
 		rvpsImageName = DefaultRvpsImageName
@@ -593,10 +595,11 @@ func (r *KbsConfigReconciler) buildRvpsContainer(volumeMounts []corev1.VolumeMou
 		SecurityContext: securityContext,
 		// Add volume mount for config
 		VolumeMounts: volumeMounts,
+		Env:          env,
 	}
 }
 
-func (r *KbsConfigReconciler) buildKbsContainer(volumeMounts []corev1.VolumeMount, securityContext *corev1.SecurityContext) corev1.Container {
+func (r *KbsConfigReconciler) buildKbsContainer(volumeMounts []corev1.VolumeMount, securityContext *corev1.SecurityContext, env []corev1.EnvVar) corev1.Container {
 	// Get Image Name from env variable if set
 	imageName := os.Getenv("KBS_IMAGE_NAME")
 	if imageName == "" {
@@ -624,15 +627,18 @@ func (r *KbsConfigReconciler) buildKbsContainer(volumeMounts []corev1.VolumeMoun
 		SecurityContext: securityContext,
 		// Add volume mount for KBS config
 		VolumeMounts: volumeMounts,
-		/* TODO commented out because not configurable yet
-		Env: []corev1.EnvVar{
-			{
-				Name:  "RUST_LOG",
-				Value: "debug",
-			},
-		},
-		*/
+		Env:          env,
+	}
+}
+
+func buildEnvVars(r *KbsConfigReconciler) []corev1.EnvVar {
+	env := make([]corev1.EnvVar, 0)
+	if r.kbsConfig.Spec.KbsEnvVars != nil {
+		for k, v := range r.kbsConfig.Spec.KbsEnvVars {
+			env = append(env, corev1.EnvVar{Name: k, Value: v})
+		}
 	}
+	return env
 }
 
 func (r *KbsConfigReconciler) isHttpsConfigPresent() bool {