draft support for encrypted mesh in guest components

Signed-off-by: Chris Porter <[email protected]>

Author: portersrc

Cargo.lock

@@ -55,6 +55,7 @@ rstest = "0.17"
 serde = { version = "1.0", features = ["derive"] }
 serde_with = { version = "1.11.0", features = ["base64"] }
 serde_json = "1.0"
+serde_yml = "0.0.11"
 serial_test = "3"
 sha2 = "0.10.7"
 strum = { version = "0.26", features = ["derive"] }

Cargo.toml

@@ -1,5 +1,5 @@
 {
-  "openapi": "3.0.3",
+  "openapi": "3.1.0",
   "info": {
     "title": "CoCo Restful API",
     "description": "HTTP based API for CoCo containers to get resource/evidence/token from confidential-data-hub and attestation-agent.",
@@ -20,9 +20,7 @@
   "paths": {
     "/aa/evidence": {
       "get": {
-        "tags": [
-          "crate"
-        ],
+        "tags": [],
         "operationId": "_evidence",
         "parameters": [
           {
@@ -67,9 +65,7 @@
     },
     "/aa/token": {
       "get": {
-        "tags": [
-          "crate"
-        ],
+        "tags": [],
         "operationId": "_token",
         "parameters": [
           {
@@ -114,9 +110,7 @@
     },
     "/cdh/resource/{repository}/{type}/{tag}": {
       "get": {
-        "tags": [
-          "crate"
-        ],
+        "tags": [],
         "operationId": "_resource",
         "responses": {
           "200": {
@@ -144,5 +138,6 @@
         }
       }
     }
-  }
+  },
+  "components": {}
 }

api-server-rest/openapi/api.json

@@ -40,10 +40,12 @@ image-rs = { path = "../../image-rs", default-features = false, features = ["kat
 kms = { path = "../kms", default-features = false }
 lazy_static.workspace = true
 log.workspace = true
+nix = { workspace = true, features = ["net"] }
 prost = { workspace = true, optional = true }
 protobuf = { workspace = true, optional = true }
 secret.path = "../secret"
 storage.path = "../storage"
+overlay_network.path = "../overlay-network"
 serde = { workspace = true, optional = true }
 serde_json.workspace = true
 thiserror.workspace = true
@@ -81,3 +83,6 @@ ehsm = ["image/ehsm", "secret/ehsm"]
 bin = [ "anyhow", "attestation-agent", "cfg-if", "clap", "config", "env_logger", "serde" ]
 ttrpc = ["dep:ttrpc", "protobuf", "ttrpc-codegen", "tokio/signal"]
 grpc = ["prost", "tonic", "tonic-build", "tokio/signal"]
+
+# support overlay network
+overlay-network = []

confidential-data-hub/hub/Cargo.toml

@@ -42,6 +42,15 @@ message ImagePullResponse {
     string manifest_digest = 1;
 }
 
+message InitOverlayNetworkRequest {
+    string pod_name = 1;
+    string lighthouse_pub_ip = 2;
+}
+
+message InitOverlayNetworkResponse {
+    int32 return_code = 1;
+}
+
 service SealedSecretService {
     rpc UnsealSecret(UnsealSecretInput) returns (UnsealSecretOutput) {};
 }
@@ -56,4 +65,8 @@ service SecureMountService {
 
 service ImagePullService {
     rpc PullImage(ImagePullRequest) returns (ImagePullResponse) {};
-}
+}
+
+service OverlayNetworkService {
+    rpc InitOverlayNetwork(InitOverlayNetworkRequest) returns (InitOverlayNetworkResponse) {};
+}

confidential-data-hub/hub/protos/api.proto

@@ -32,4 +32,11 @@ pub trait DataHub {
 
     /// Pull image of image url (reference), and place the merged layers in the `bundle_path/rootfs`
     async fn pull_image(&self, _image_url: &str, _bundle_path: &str) -> Result<String>;
+
+    /// Initialize the overlay network
+    async fn init_overlay_network(
+        &self,
+        pod_name: String,
+        lighthouse_pub_ip: String,
+    ) -> Result<Vec<u8>>;
 }