Add basic Trustee plugin support to guest-components #1293
Conversation
fitzthum
force-pushed
the
plugin-support-1
branch
from
0c598e1 to
d885b8c
Compare
Rather than overload the ResourceURI to include information about the plugin, let's add a parameter to get_resource that explicitly specifies whcih plugin, and therefore which Trustee endpoint, to use. Add the parameter to get resource (rather than the client builder) because different resources can come from different plugins. In the CDH we don't construct a new client for every request, so we should allow setting the plugin per request. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
Add an optional arg to the trustee attester allowing the user to specify which plugin to use. If not provided, "resource" will be used. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
For now, the CDH will always use the resource plugin. In the future we can allow the plugin to be specified via a sealed secret or the rest API. For now, let's just be explicit about which plugin we are using. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
fitzthum
force-pushed
the
plugin-support-1
branch
from
d885b8c to
d03c65b
Compare
We still have this old KBC abstration from the days before the CDH. Keep the behavior the same by always using the resource plugin. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
There has been some confusion about how to support plugins with the KBS URI. At one point we added a test case that implies that the plugin name should be part of the URI. Since we are now going in the other direction, update the test case to be more generic. Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
|
As I once comment: I prefer a form that the plugin name is contained inside the URI, than another separate parameter. This requires that the existing URI format remain valid; they are all resources. Note that when I designed KBS URI, I put a KBS host/port field in the URI. However, as we used it more, we gradually realized that the actual KBS connection was defined by a global configuration file, such as the CDH configuration file. Therefore, it's completely unnecessary to include this field in the URI. So I suggest updating the KBS URI document, replacing the host/port part with "plugin," and leaving it blank by default as "resource." This ensures backward compatibility, while also simplifying user experience and code design, avoiding the use of multiple parameters. This design style also exists in Alibaba Cloud OSS object storage—a global configuration file specifies the OSS address, and the OSS URI (oss://x/x/x) includes both the bucket and the path. |
|
Not sure what is the best place to add comments. One consideration I see is if we want plugins to define their own versioning instead of kbs/v0 |
I am open to this. I have thought about adding support for multiple KBSes. There is a chance we will want to do that at some point, but I am ok with sacrificing that parameter for plugins. The backwards compatibility part is very important. We can't update all the URIs that are already out there. |
This is a good question. A question from my side is what does
There will be a trade-off for URI and multiple KBSes. My idea is that for most people, there's only one KBS instance, and the URI doesn't need to be considered. However, for the few who need multiple KBS configurations, we can recommend using one-shot CDH tool directly?
Actually in the code all the origin of address of the trustee is from |
I think we probably don't want plugins to have their own versions. Really we need to formalize a backwards compatibility strategy in Trustee. We don't really use this version field at all today.
Yeah I mean that I like this proposal because it doesn't break the URIs we already have (which don't use a plugin and don't use the first field for anything). I think it is probably a good idea to switch the first field to be a plugin. |
3 participants
Following from #1208 and confidential-containers/trustee#1158, let's make the handling of trustee plugins/endpoints in the guest-components.
Specifically, add a plugin parameter to
get_resource. Use this to create the request to Trustee. This way it is explicit which plugin we are using.Also, add support for plugins to the trustee-attester. Add an optional plugin argument that can specify a plugin.
This PR does not change the behavior of the CDH. Instead, we hardcode the CDH to always use the resource plugin. Again, this is much more explicit than what we do now. In the future we can extend the CDH to support other plugins via sealed-secret, ASR, and other interfaces.