Merge pull request #241 from lmilleri/backport-05112025

Backporting for v1.0.0

Author: lmilleri

Dockerfile

@@ -12,6 +12,9 @@ COPY go.sum go.sum
 RUN go mod download
 
 # Copy the go source
+
+# Copy the config templates
+COPY config/templates/ config/templates/
 COPY cmd/main.go cmd/main.go
 COPY api/ api/
 COPY internal/controller/ internal/controller/
@@ -30,6 +33,10 @@ RUN microdnf install -y openssl && microdnf clean all
 
 WORKDIR /
 COPY --from=builder /opt/app-root/src/manager .
+
+# Copy the config templates
+COPY --from=builder /opt/app-root/src/config/templates/ /config/templates/
+
 USER 65532:65532
 
 ENTRYPOINT ["/manager"]

api/v1alpha1/kbsconfig_types.go

@@ -119,6 +119,14 @@ type KbsConfigSpec struct {
 	// KbsHttpsCertSecretName is the name of the secret that contains the KBS https certificate
 	KbsHttpsCertSecretName string `json:"kbsHttpsCertSecretName,omitempty"`
 
+	// KbsAttestationKeySecretName is the name of the secret that contains the attestation token private key
+	// +optional
+	KbsAttestationKeySecretName string `json:"kbsAttestationKeySecretName,omitempty"`
+
+	// KbsAttestationCertSecretName is the name of the secret that contains the attestation token certificate
+	// +optional
+	KbsAttestationCertSecretName string `json:"kbsAttestationCertSecretName,omitempty"`
+
 	// KbsSecretResources is an array of secret names that contain the keys required by clients
 	// +optional
 	KbsSecretResources []string `json:"kbsSecretResources,omitempty"`
@@ -181,6 +189,92 @@ type KbsConfigList struct {
 	Items           []KbsConfig `json:"items"`
 }
 
+// HttpsSpec defines the desired state for HTTPS configuration
+type HttpsSpec struct {
+	// TlsSecretName is the name of the Kubernetes TLS secret (type: kubernetes.io/tls)
+	// that contains the TLS certificate and private key
+	TlsSecretName string `json:"tlsSecretName,omitempty"`
+}
+
+// AttestationTokenVerificationSpec token validation using trusted certificate authorities
+type AttestationTokenVerificationSpec struct {
+	// TlsSecretName is the name of the Kubernetes TLS secret (type: kubernetes.io/tls)
+	// that contains the TLS certificate for attestation token verification
+	TlsSecretName string `json:"tlsSecretName,omitempty"`
+}
+
+// Profile Type string determines the trustee profile
+// +enum
+type ProfileType string
+
+const (
+	// ProfileTypePermissive: permissive mode is enabled
+	// - resource-policy is permissive
+	// - debug log enabled by default
+	ProfileTypePermissive ProfileType = "Permissive"
+
+	// ProfileTypeRestricted: restricted mode is enabled
+	// - resource-policy is restricted
+	// - https configuration is enforced
+	// - insecure_api enforced to false
+	// - insecure_key enforced to false
+	ProfileTypeRestrictive ProfileType = "Restricted"
+)
+
+// TrusteeConfigSpec defines the desired state of TrusteeConfig
+type TrusteeConfigSpec struct {
+	// HttpsSpec is the struct that hosts the HTTPS configuration
+	// +optional
+	HttpsSpec HttpsSpec `json:"httpsSpec,omitempty"`
+
+	// AttestationTokenVerificationSpec token validation using trusted certificate authorities
+	// +optional
+	AttestationTokenVerificationSpec AttestationTokenVerificationSpec `json:"attestationTokenVerificationSpec,omitempty"`
+
+	// ProfileType determines how to configure trustee, e.g. in permissive/restricted mode etc.
+	Profile ProfileType `json:"profileType,omitempty"`
+
+	// KbsServiceType is the type of service to create for KBS
+	// Default value is ClusterIP
+	// +optional
+	KbsServiceType corev1.ServiceType `json:"kbsServiceType,omitempty"`
+}
+
+// TrusteeConfigStatus defines the observed state of TrusteeConfig
+type TrusteeConfigStatus struct {
+	// IsReady is true when the TrusteeConfig configuration is ready
+	IsReady bool `json:"isReady,omitempty"`
+
+	// KbsConfigRef is a reference to the associated KbsConfig object
+	// +optional
+	KbsConfigRef *corev1.ObjectReference `json:"kbsConfigRef,omitempty"`
+
+	// StatusDescription provides a human-readable description of the current status
+	// +optional
+	StatusDescription string `json:"statusDescription,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// TrusteeConfig is the Schema for the trusteeconfigs API
+type TrusteeConfig struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   TrusteeConfigSpec   `json:"spec,omitempty"`
+	Status TrusteeConfigStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// TrusteeConfigList contains a list of TrusteeConfig
+type TrusteeConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []TrusteeConfig `json:"items"`
+}
+
 func init() {
-	SchemeBuilder.Register(&KbsConfig{}, &KbsConfigList{})
+	SchemeBuilder.Register(&KbsConfig{}, &KbsConfigList{}, &TrusteeConfig{}, &TrusteeConfigList{})
 }

api/v1alpha1/zz_generated.deepcopy.go

@@ -71,6 +71,14 @@ spec:
                   KbsAsConfigMapName is the name of the configmap that contains the KBS AS configuration
                   Required only when MicroservicesDeployment is set
                 type: string
+              kbsAttestationCertSecretName:
+                description: KbsAttestationCertSecretName is the name of the secret
+                  that contains the attestation token certificate
+                type: string
+              kbsAttestationKeySecretName:
+                description: KbsAttestationKeySecretName is the name of the secret
+                  that contains the attestation token private key
+                type: string
               kbsAttestationPolicyConfigMapName:
                 description: KbsAttestationPolicyConfigMapName is the name of the
                   configmap that contains the Attestation Policy