draft support for encrypted mesh in guest components

Signed-off-by: Chris Porter <[email protected]>

Author: portersrc

Cargo.toml

@@ -55,6 +55,7 @@ rstest = "0.17"
 serde = { version = "1.0", features = ["derive"] }
 serde_with = { version = "1.11.0", features = ["base64"] }
 serde_json = "1.0"
+serde_yml = "0.0.11"
 serial_test = "3"
 sha2 = "0.10.7"
 strum = { version = "0.26", features = ["derive"] }

confidential-data-hub/example.config.json

@@ -24,5 +24,12 @@
         "skip_proxy_ips": "192.168.0.1,localhost",
         "extra_root_certificates": "-----BEGIN CERTIFICATE-----\nMIIFTDCCAvugAwIBAgIBADBGBgkqhkiG9w0BAQowOaAPMA0GCWCGSAFlAwQCAgUA\noRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAgUAogMCATCjAwIBATB7MRQwEgYD\nVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDASBgNVBAcMC1NhbnRhIENs\nYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5jZWQgTWljcm8gRGV2aWNl\nczESMBAGA1UEAwwJU0VWLU1pbGFuMB4XDTIzMDEyNDE3NTgyNloXDTMwMDEyNDE3\nNTgyNlowejEUMBIGA1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVTMRQwEgYD\nVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExHzAdBgNVBAoMFkFkdmFuY2Vk\nIE1pY3JvIERldmljZXMxETAPBgNVBAMMCFNFVi1WQ0VLMHYwEAYHKoZIzj0CAQYF\nK4EEACIDYgAExmG1ZbuoAQK93USRyZQcsyobfbaAEoKEELf/jK39cOVJt1t4s83W\nXM3rqIbS7qHUHQw/FGyOvdaEUs5+wwxpCWfDnmJMAQ+ctgZqgDEKh1NqlOuuKcKq\n2YAWE5cTH7sHo4IBFjCCARIwEAYJKwYBBAGceAEBBAMCAQAwFwYJKwYBBAGceAEC\nBAoWCE1pbGFuLUIwMBEGCisGAQQBnHgBAwEEAwIBAzARBgorBgEEAZx4AQMCBAMC\nAQAwEQYKKwYBBAGceAEDBAQDAgEAMBEGCisGAQQBnHgBAwUEAwIBADARBgorBgEE\nAZx4AQMGBAMCAQAwEQYKKwYBBAGceAEDBwQDAgEAMBEGCisGAQQBnHgBAwMEAwIB\nCDARBgorBgEEAZx4AQMIBAMCAXMwTQYJKwYBBAGceAEEBEDDhCejDUx6+dlvehW5\ncmmCWmTLdqI1L/1dGBFdia1HP46MC82aXZKGYSutSq37RCYgWjueT+qCMBE1oXDk\nd1JOMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0B\nAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBA4ICAQACgCai9x8DAWzX/2IelNWm\nituEBSiq9C9eDnBEckQYikAhPasfagnoWFAtKu/ZWTKHi+BMbhKwswBS8W0G1ywi\ncUWGlzigI4tdxxf1YBJyCoTSNssSbKmIh5jemBfrvIBo1yEd+e56ZJMdhN8e+xWU\nbvovUC2/7Dl76fzAaACLSorZUv5XPJwKXwEOHo7FIcREjoZn+fKjJTnmdXce0LD6\n9RHr+r+ceyE79gmK31bI9DYiJoL4LeGdXZ3gMOVDR1OnDos5lOBcV+quJ6JujpgH\nd9g3Sa7Du7pusD9Fdap98ocZslRfFjFi//2YdVM4MKbq6IwpYNB+2PCEKNC7SfbO\nNgZYJuPZnM/wViES/cP7MZNJ1KUKBI9yh6TmlSsZZOclGJvrOsBZimTXpATjdNMt\ncluKwqAUUzYQmU7bf2TMdOXyA9iH5wIpj1kWGE1VuFADTKILkTc6LzLzOWCofLxf\nonhTtSDtzIv/uel547GZqq+rVRvmIieEuEvDETwuookfV6qu3D/9KuSr9xiznmEg\nxynud/f525jppJMcD/ofbQxUZuGKvb3f3zy+aLxqidoX7gca2Xd9jyUy5Y/83+ZN\nbz4PZx81UJzXVI9ABEh8/xilATh1ZxOePTBJjN7lgr0lXtKYjV/43yyxgUYrXNZS\noLSG2dLCK9mjjraPjau34Q==\n-----END CERTIFICATE-----",
         "work_dir": "/run/image-rs"
+    },
+    "overlay_network": {
+        "enable": "true",
+        "nebula": {
+            "lighthouse_ip": "192.168.100.100",
+            "overlay_netmask": "255.255.255.0"
+        }
     }
 }

confidential-data-hub/example.config.toml

@@ -176,4 +176,22 @@ oLSG2dLCK9mjjraPjau34Q==
 # The path to store the pulled image layer data.
 #
 # This value defaults to `/run/image-rs/`.
-work_dir = "/run/image-rs"
+work_dir = "/run/image-rs"
+
+
+# (Optional) Overlay network-related configuration
+# If enabled, overlay_network.nebula (and all its fields) are required
+[overlay_network]
+
+# Set enable to true to enable the overlay network
+enable = "true"
+
+[overlay_network.nebula]
+# The (internal/private) IP address of the lighthouse.
+# This MUST match the IP address (i.e. the internal/overlay/vpn IP address)
+# assigned to the lighthouse, which is running alongside trustee
+lighthouse_ip = "192.168.100.100"
+
+# The netmask of the overlay network. The provided example is a /24 network,
+# allowing for 256 pods in the network.
+overlay_netmask = "255.255.255.0"

confidential-data-hub/hub/Cargo.toml

@@ -40,10 +40,12 @@ image-rs = { path = "../../image-rs", default-features = false, features = ["kat
 kms = { path = "../kms", default-features = false }
 lazy_static.workspace = true
 log.workspace = true
+nix = { workspace = true, features = ["net"] }
 prost = { workspace = true, optional = true }
 protobuf = { workspace = true, optional = true }
 secret.path = "../secret"
 storage.path = "../storage"
+overlay_network.path = "../overlay-network"
 serde = { workspace = true, optional = true }
 serde_json.workspace = true
 thiserror.workspace = true
@@ -81,3 +83,6 @@ ehsm = ["image/ehsm", "secret/ehsm"]
 bin = [ "anyhow", "attestation-agent", "cfg-if", "clap", "config", "env_logger", "serde" ]
 ttrpc = ["dep:ttrpc", "protobuf", "ttrpc-codegen", "tokio/signal"]
 grpc = ["prost", "tonic", "tonic-build", "tokio/signal"]
+
+# support overlay network
+overlay-network = []

confidential-data-hub/hub/protos/api.proto

@@ -42,6 +42,15 @@ message ImagePullResponse {
     string manifest_digest = 1;
 }
 
+message InitOverlayNetworkRequest {
+    string pod_name = 1;
+    string lighthouse_pub_ip = 2;
+}
+
+message InitOverlayNetworkResponse {
+    int32 return_code = 1;
+}
+
 service SealedSecretService {
     rpc UnsealSecret(UnsealSecretInput) returns (UnsealSecretOutput) {};
 }
@@ -56,4 +65,8 @@ service SecureMountService {
 
 service ImagePullService {
     rpc PullImage(ImagePullRequest) returns (ImagePullResponse) {};
-}
+}
+
+service OverlayNetworkService {
+    rpc InitOverlayNetwork(InitOverlayNetworkRequest) returns (InitOverlayNetworkResponse) {};
+}

confidential-data-hub/hub/src/api.rs

@@ -32,4 +32,10 @@ pub trait DataHub {
 
     /// Pull image of image url (reference), and place the merged layers in the `bundle_path/rootfs`
     async fn pull_image(&self, _image_url: &str, _bundle_path: &str) -> Result<String>;
+
+    /// Initialize the overlay network
+    async fn init_overlay_network(
+        &self,
+        pod_name: String,
+    ) -> Result<()>;
 }